Re: Determining strength of encryption provided by a GSS-API mechanism

To: Love Hörnquist Åstrand <lha at kth.se>
Subject: Re: Determining strength of encryption provided by a GSS-API mechanism
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Wed, 12 Aug 2009 13:16:33 -0500
Cc: "kitten at ietf.org" <kitten at ietf.org>
Delivered-to: kitten at core3.amsl.com
In-reply-to: <AF005B3D-73FB-411F-AA8B-783F39E6263E at kth.se>
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
References: <4A815FC7.8000400 at isode.com> <AF005B3D-73FB-411F-AA8B-783F39E6263E at kth.se>
User-agent: Mutt/1.5.7i

On Tue, Aug 11, 2009 at 11:42:53PM +0200, Love Hörnquist Åstrand wrote:
> 
> 11 aug 2009 kl. 14:10 skrev Alexey Melnikov:
> 
> > Is such API already available
> 
> no

Though we've discussed designs for APIs that allow applications to
request / determine which strength profiles to use / are in use.

> >and if the answer is no, are people interested in working on  
> >defining it?
> 
> sure, I think the definition of SSF is broken, and its not simple to  
> understand, racing to yet another higher number seems bad.

Indeed.  SSF is bad, bad, bad.

It's not possible to permanently assign a "strength" number to a
mechanism or "enctype".  Strength is in the eye of the beholder and may
vary with time.  And users shouldn't, and likely don't, care about
numeric strength representations -- they should, and probably do, care
about strength representations in their language, such as "strong",
names of standards (e.g., "fips140-1"), and so on.

IMO only relative strength should matter, and rather than use numbers we
should use names of policies, policies that can be created and
maintained locally or, in the case of policies that correspond to
standards, delivered by vendors and updated as those standards are
updated.

No, that's not helpful to you: even if we had such GSS APIs you'd still
have to introduce equivalent SASL APIs and you'd still have to do
something about SSF for backwards compatibility.

Nico
--

Follow-Ups:
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Alexey Melnikov

References:
- Determining strength of encryption provided by a GSS-API mechanism
  - From: Alexey Melnikov
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Love Hörnquist Åstrand

Prev by Date: RFC 5653 on Generic Security Service API Version 2: Java Bindings Update
Next by Date: Re: Determining strength of encryption provided by a GSS-API mechanism
Previous by thread: Re: Determining strength of encryption provided by a GSS-API mechanism
Next by thread: Re: Determining strength of encryption provided by a GSS-API mechanism
Index(es):
- Date
- Thread

Re: Determining strength of encryption provided by a GSS-API mechanism

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.