Re: CIFS and the krb5 PRF

To: Sam Hartman <hartmans-ietf at mit.edu>
Subject: Re: CIFS and the krb5 PRF
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 27 Jun 2005 19:11:44 +1000
Cc: kitten at ietf.org
In-reply-to: <tsld5q88ze0.fsf@cz.mit.edu>
List-archive: <http://www1.ietf.org/pipermail/kitten>
List-help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-post: <mailto:kitten@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
References: <1113608643.7488.274.camel@amy.samba4.abartlet.net> <42607B3A.3010806@columbia.edu> <42608663.2060506@sun.com> <200504211232.20480.mpeterson@vintela.com> <tsld5q88ze0.fsf@cz.mit.edu>
Sender: kitten-bounces at lists.ietf.org

On Sun, 2005-06-26 at 19:35 -0400, Sam Hartman wrote:
> >>>>> "Matt" == Matt Peterson <mpeterson at vintela.com> writes:
> 
>     Matt> Hi,
>     >> > Jeffrey Altman wrote: > I have started a discussion with you
>     >> on the krbdev at mit.edu mailing > list. Let's take this
>     >> discussion there. I am sure that we can work > with you to get
>     >> the functionality you need into a future release > without
>     >> muddying the GSS standards track.
> 
>     Matt> So can someone explain why this is a krbdev at mit.edu
>     Matt> discussion and not something suited to the kitten list?  I
>     Matt> don't think it is mudding the waters at all.  It seems to me
>     Matt> like a legitmate request for generic API functionality.
> 
> I think the argument is that it is outside the kitten charter.
> 
> Speaking as an individual, I don't want to see kitten become a forum
> for Microsoft interoperability.  I'd rather see the GSSAPI be a well
> designed security API, not one forced to support all the mistakes
> Microsoft made.  We'll be busy enough supporting the mistakes we make.
> 
> That said, I believe we may actually want an API for extracting the
> key or at least something that maps on the EAP MSK and EMSK.

Given the strongly held views of represented here that Samba4 (in
particular) should not be locked into a particular Kerberos/GSSAPI
implementation, where should I address discussion about the changes that
Samba4 requires?

I have already made a number of experimental modifications to Heimdal
kerberos (a copy of which we will ship built into Samba4 for initial
release).  While I already get some good feedback from Love, I know
others have views.  

The 'CIFS Session key' export is just one of these required extensions -
we also need to change the GSS_Wrap arguments to support AEAD, and
closer control over the underlying Kerberos behaviour.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

Follow-Ups:
- Re: CIFS and the krb5 PRF
  - From: Ken Raeburn
- Re: CIFS and the krb5 PRF
  - From: Jeffrey Altman

References:
- CIFS and the krb5 PRF
  - From: Andrew Bartlett
- Re: CIFS and the krb5 PRF
  - From: Jeffrey Altman
- Re: CIFS and the krb5 PRF
  - From: Wyllys Ingersoll
- Re: CIFS and the krb5 PRF
  - From: Matt Peterson
- Re: CIFS and the krb5 PRF
  - From: Sam Hartman

Prev by Date: Re: CIFS and the krb5 PRF
Next by Date: Re: CIFS and the krb5 PRF
Previous by thread: Re: CIFS and the krb5 PRF
Next by thread: Re: CIFS and the krb5 PRF
Index(es):
- Date
- Thread

Re: CIFS and the krb5 PRF

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.