Re: KITTEN: IETF 75 - 76

To: leifj at mnt.se
Subject: Re: KITTEN: IETF 75 - 76
From: Martin Rex <Martin.Rex at sap.com>
Date: Tue, 18 Aug 2009 01:02:07 +0200 (MEST)
Cc: kitten at ietf.org
Delivered-to: kitten at core3.amsl.com
In-reply-to: <200908180013.29152.leifj at mnt.se> from "Leif Johansson" at Aug 18, 9 00:13:28 am
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Leif Johansson wrote:
> 
> That was exporting unfinished contexts actually - slightly different.

exporting&importing unfinished security contexts will usually
break the gssapi architecture.

The context establishement calls take a number of arguments
that must be the same for the initial and all iteration calls,
and it is an implementation issue at which point which of these
parameters is accessed.

Fully established security contexts do not normally need access to
credentials (the gss_cred_id_t that was provided to gss_init_sec_context
or gss_accept_sec_context can be released when the security context
establishment has completed or failed).

During security context establishment, access to credentials might
be necessary at various stages, and the caller would have to
make sure the parameters during each iteration call are the same
as during the first call.

Credentials that are stored on a hardware token are often not
transferable, and also may require a serialization of the access.

> 
> >
> > >    4. error message reporting
> > >    5. asynchronous calls
> >
> > The last 2 are generally required for use by modern applications.
> 
> hmm, is asynchronous calls related to exportable contexts perhaps...?

What exactly do you mean by asynchronous calls??

GSS-API does not include message transport, so all calls are
by definition asynchronous.

Or were you thinking about the Kerberos 5 gssapi mechanisms communication
with the KDC during gss_init_sec_context() (and possibly during
gss_acquire_cred for some newer implementations)?

-Martin

Follow-Ups:
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams

References:
- Re: KITTEN: IETF 75 - 76
  - From: Leif Johansson

Prev by Date: Re: KITTEN: IETF 75 - 76
Next by Date: Re: KITTEN: IETF 75 - 76
Previous by thread: Re: KITTEN: IETF 75 - 76
Next by thread: Re: KITTEN: IETF 75 - 76
Index(es):
- Date
- Thread

Re: KITTEN: IETF 75 - 76

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.