Re: Determining strength of encryption provided by a GSS-API mechanism

To: Alexey Melnikov <alexey.melnikov at isode.com>
Subject: Re: Determining strength of encryption provided by a GSS-API mechanism
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Wed, 12 Aug 2009 16:55:04 -0500
Cc: "kitten at ietf.org" <kitten at ietf.org>
Delivered-to: kitten at core3.amsl.com
In-reply-to: <20090812212501.GK10982 at Sun.COM>
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
References: <4A815FC7.8000400 at isode.com> <AF005B3D-73FB-411F-AA8B-783F39E6263E at kth.se> <20090812181633.GG10982 at Sun.COM> <4A832155.10801 at isode.com> <20090812212501.GK10982 at Sun.COM>
User-agent: Mutt/1.5.7i

> 	gss_buffer_t	context_establishement_policy,
> 	gss_buffer_t	per_msg_token_policy

These buffers would have policy names, in the caller's locale's codeset,
or maybe just all US-ASCII.  We'd also need a function to get localized
policy names (and descriptions).  And we'd need a namespace for
standards-based policy names vs. local policy names.  Plus a policy
comparison function.

OM_uint32
gss_display_policy(
	OM_uint32	*minor_status,
	gss_buffer_t	policy,
	gss_buffer_t	localized_name,
	gss_buffer_t	localized_desc,
	int		*is_context_establishement_policy,
	int		*is_per_msg_token_policy
);

A function for listing known policies would also be nice.  The contents
of policies would be purely local; no interchange format is needed.

/*
 * 'result' is set to 1 if policy1 is a superset of policy2, 0 if the
 * two policies are equivalent, and -1 if they are disjoint or if
 * policy2 is a superset of policy1.
 *
 * If mech is GSS_NO_OID then the comparison is across all available
 * mechanisms.  (Internally the framework would call the
 * compare_policies method for each available mechanism, and set result
 * to 1 or 0 only if all the comparisons output the same non-negative
 * value, else -1.)
 */
OM_uint32
gss_compare_policies(
	OM_uint32	*minor_status,
	gss_OID		mech, /* may be GSS_NO_OID */
	gss_buffer_t	policy1,
	gss_buffer_t	policy2,
	int		*result
);

References:
- Determining strength of encryption provided by a GSS-API mechanism
  - From: Alexey Melnikov
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Love Hörnquist Åstrand
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Nicolas Williams
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Alexey Melnikov
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Nicolas Williams

Prev by Date: Re: Determining strength of encryption provided by a GSS-API mechanism
Next by Date: Re: Determining strength of encryption provided by a GSS-API mechanism
Previous by thread: Re: Determining strength of encryption provided by a GSS-API mechanism
Next by thread: Re: Determining strength of encryption provided by a GSS-API mechanism
Index(es):
- Date
- Thread

Re: Determining strength of encryption provided by a GSS-API mechanism

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.