Re: CIFS and the krb5 PRF

To: "Liqiang(Larry) Zhu" <lzhu at windows.microsoft.com>
Subject: Re: CIFS and the krb5 PRF
From: Jeffrey Altman <jaltman at columbia.edu>
Date: Thu, 30 Jun 2005 23:26:16 -0400
Cc: kitten at ietf.org, Sam Hartman <hartmans-ietf at mit.edu>
In-reply-to: <DAC3FCB50E31C54987CD10797DA511BA0F7D7DE7@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www1.ietf.org/pipermail/kitten>
List-help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-post: <mailto:kitten@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
Organization: No Longer Affiliated with Columbia University in the City of New York
References: <DAC3FCB50E31C54987CD10797DA511BA0F7D7DE7@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>
Sender: kitten-bounces at lists.ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414

The raw session key has very different properties than the output of
GSS_Pseudo_random().   We all agree that there is a need for
implementations of the krb5 mechanism to be able to expose the raw
components of the ticket.  The components that applications need access
to are no limited to the session key.  That is the reason the MIT
implementation is going to provide a implementation specific extension
to access all of the components of the ticket associated with the GSS
Context.   Let's not try to mix apples and oranges.

As for RFC 2712 (Kerberos Ciphers for TLS), this protocol does not use
GSS.  It would therefore provide no benefit to add this functionality.
What we do need to do is scrap RFC 2712 and replace it with something
either based on GSS or at least something that makes use of the KCrypto
PRF.  That discussion is not within the bounds of the Kitten charter.

Jeffrey Altman

Liqiang(Larry) Zhu wrote:

> What about adding a flag argument to GSS_Pseudo_random(), thus we can
> allow implementations to *optionally* expose the raw session key via the
> PRF. I am saying so assuming folks genuinely need to support a way to
> interop with existing applications that expose the direct Kerberos key
> today, Kerb-TLS, to think of it, is one of them.
> 
> -- Larry

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

References:
- RE: CIFS and the krb5 PRF
  - From: Liqiang\(Larry\) Zhu

Prev by Date: Re: CIFS and the krb5 PRF
Next by Date: WGLC Results
Previous by thread: Re: CIFS and the krb5 PRF
Next by thread: PRF_READY -- a proposal
Index(es):
- Date
- Thread

Re: CIFS and the krb5 PRF

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.