Re: KITTEN: IETF 75 - 76

[Love Hörnquist Åstrand <lha at kth.se>]

17 aug 2009 kl. 10:26 skrev Nicolas Williams:

> ISC?

init sec context.

> I don't want to re-design the API from scratch if we can avoid it.

if we are doing an async api, its redoing the api.

> Moreover, all of the enhancements we're discussing are incremental,
> _except_ for this one and the multi-princ credentials one; this one  
> fits
> right in as proposed above, and we can solve the multi-princ  
> credentials
> problem incrementally too.  If we had more problems to fix that are  
> not
> incremental then I'd agree on a whole re-design.

I find PGSSAPI very distasteful.

> Also, I don't agree that there's no way to add new token types, if
> that's what you meant.  You could add support for new tokens (e.g.,
> re-key tokens, default QoP cipher change, ...) as follows:

There is no way to add more input variables to ISC.

ISC have been extended to day, for example for NFS. you have to  
acquire a special NFS credentials, modify the credential to select  
what enctypes the kernel supports, and then call ISC. This doesn't  
work for credential when you talk to different servers that have  
diffrent properties, like TLS channel bindings.

I'm not worried about rekeying, if you want to tackle that we are  
redoing the whole gss-api model.

Love