Re: KITTEN: IETF 75 - 76

To: Martin Rex <Martin.Rex at sap.com>
Subject: Re: KITTEN: IETF 75 - 76
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Wed, 19 Aug 2009 15:29:14 -0500
Cc: kitten at ietf.org, Shawn.Emery at sun.com
Delivered-to: kitten at core3.amsl.com
In-reply-to: <200908191923.n7JJNwWq027044 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
References: <20090819163215.GD1043 at Sun.COM> <200908191923.n7JJNwWq027044 at fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Wed, Aug 19, 2009 at 09:23:58PM +0200, Martin Rex wrote:
> Nicolas Williams wrote:
> > 
> > > GSS-API is part of the identity selection problem since its the holder  
> > > of credentials.
> > > 
> > > The application/framework will need to drive authentication and select/ 
> > > try credentials as it seems approproate and remember what of them was  
> > > useful.
> > > 
> > > This would work today, if it was possible to get initial credentials  
> > > and list existing/configured credentials
> > 
> > Sure.  An iterator following the same design principles as
> > gss_display_status() would look like:
> > 
> > OM_unit32 gss_list_default_cred_names(
> > 	OM_uint32 *minor_status,
> > 	gss_name_t  *name,
> > 	int	    *more
> > );
> 
> That call looks somewhat restricted to me.

It is.  It should be sufficient however.  (Here name would be an MN.)

If you care about specific mechs you could then call gss_add_cred() with
each name output by gss_list_default_cred_names() and inquire the
result.

> How about something like this:
> 
> OM_uint32 gss_list_default_cred_names(
> 	OM_uint32    * minor_status,
> 	gss_name_t   * name,
> 	gss_OID_set  * mech_oids,
> 	int          * is_default,
> 	OM_uint32    * cred_context
> );

What's "cred_context"?  Would that correspond to the 'more' argument in
my variant?

But yes, it'd be quite useful (though not strictly necessary) to output
a mech OID set and is_default.  As long as only mech OIDs that are all
in the same family (and therefore have the same MN/exported name token
forms) are allowed to appear in mech_oids.

Nico
--

Follow-Ups:
- Re: KITTEN: IETF 75 - 76
  - From: Martin Rex

References:
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams
- Re: KITTEN: IETF 75 - 76
  - From: Martin Rex

Prev by Date: Re: KITTEN: IETF 75 - 76
Next by Date: Re: KITTEN: IETF 75 - 76
Previous by thread: Re: KITTEN: IETF 75 - 76
Next by thread: Re: KITTEN: IETF 75 - 76
Index(es):
- Date
- Thread

Re: KITTEN: IETF 75 - 76

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.