Re: Determining strength of encryption provided by a GSS-API mechanism

To: Alexey Melnikov <alexey.melnikov at isode.com>
Subject: Re: Determining strength of encryption provided by a GSS-API mechanism
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Wed, 12 Aug 2009 17:42:17 -0500
Cc: "kitten at ietf.org" <kitten at ietf.org>
Delivered-to: kitten at core3.amsl.com
In-reply-to: <4A834194.6030508 at isode.com>
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
References: <4A815FC7.8000400 at isode.com> <AF005B3D-73FB-411F-AA8B-783F39E6263E at kth.se> <20090812181633.GG10982 at Sun.COM> <4A832155.10801 at isode.com> <20090812212501.GK10982 at Sun.COM> <4A834194.6030508 at isode.com>
User-agent: Mutt/1.5.7i

On Wed, Aug 12, 2009 at 11:26:28PM +0100, Alexey Melnikov wrote:
> Nicolas Williams wrote:
> >Searching my sent box for mails with "qop" in the subject I see this:
> 
> :-).

:)

> >Apps hardcode SSF values at build time,
> >
> Actually apps don't. My server certainly doesn't. It has 2 file 
> configuration options: min_ssf and max_ssf for controlling use of 
> security layers.

Ah, I stand corrected.

> >as do mechanisms.
> >
> Mechanisms do, because they have no way of learning from GSS-API. So 
> either mechanisms have to hardcode the highest known value, or they need 
> to lie that they support certain SSF.

Right.

> >There's other things that are bad:
> >
> >- numbers for this just suck; policy names are much better
> > 
> >
> Well, it means you need to have entirely different API and, more 
> importantly, UI for managing such policies. Good UIs like this are 
> difficult.

I have given the subject much thought, though intermittently, over the
past few years.  I believe the API that I've sketched for you is a very
good start, and that it makes it possible to have very simple UIs for
users and server configuration.

The hard part is about how to express policies.  E.g., a simple "must
use AES" is not enough, and policies are almost unavoidably going to
have mechanism-specific contents.  But fortunately, because policy
contents is a local problem, policy expression is not our problem here :)

(Policy interchange formats are not really a problem that we need to
solve either.  Standard policies could be expressed in English, with the
task of expressing them in machine-readable form being left to
implementors.)

Nico
--

References:
- Determining strength of encryption provided by a GSS-API mechanism
  - From: Alexey Melnikov
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Love Hörnquist Åstrand
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Nicolas Williams
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Alexey Melnikov
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Nicolas Williams
- Re: Determining strength of encryption provided by a GSS-API mechanism
  - From: Alexey Melnikov

Prev by Date: Re: Determining strength of encryption provided by a GSS-API mechanism
Next by Date: KITTEN: IETF 75 - 76
Previous by thread: Re: Determining strength of encryption provided by a GSS-API mechanism
Next by thread: RFC 5653 on Generic Security Service API Version 2: Java Bindings Update
Index(es):
- Date
- Thread

Re: Determining strength of encryption provided by a GSS-API mechanism

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.