Re: KITTEN: IETF 75 - 76

To: Nicolas.Williams at sun.com (Nicolas Williams)
Subject: Re: KITTEN: IETF 75 - 76
From: Martin Rex <Martin.Rex at sap.com>
Date: Wed, 19 Aug 2009 21:58:58 +0200 (MEST)
Cc: kitten at ietf.org, Shawn.Emery at sun.com
Delivered-to: kitten at core3.amsl.com
In-reply-to: <20090819164010.GE1043 at Sun.COM> from "Nicolas Williams" at Aug 19, 9 11:40:11 am
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Nicolas Williams wrote:
> 
> > I'm not worried about rekeying, if you want to tackle that we are  
> > redoing the whole gss-api model.
> 
> Not really.  The SSPI does it, and the SSPI is very similar to the
> GSS-API.  Re-keying would be an incremental change, not a fundamental
> one (but it would require updates to app protocols in order for them to
> be able to use it).  For SASL re-keying would be much more intrusive .
> No, I don't care about re-keying.

Re-keying will require re-design of the API.

I'm not aware about rekeying being available in SSPI.

It must be availabe in some way for schannel, because IIS is
able to perform renegotiation in order to request a client cert
after having looked at the URL -- but I do not think it exists
for NTLM or Kerberos 5 SSPs.  If I'm wrong, do you have an URL
to the Microsoft documentation describing how it works?

In traditional GSS-API it is not possible to modify a security
context once it has been established.  And a communication might
go entirely unidirectional after security context establishment
for the rest of its lifetime (e.g. the data channel of an FTP
with GSS-API extensions).

-Martin

Follow-Ups:
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams

References:
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams

Prev by Date: Re: KITTEN: IETF 75 - 76
Next by Date: Re: KITTEN: IETF 75 - 76
Previous by thread: Re: KITTEN: IETF 75 - 76
Next by thread: Re: KITTEN: IETF 75 - 76
Index(es):
- Date
- Thread

Re: KITTEN: IETF 75 - 76

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.