Re: KITTEN: IETF 75 - 76

To: Martin Rex <Martin.Rex at sap.com>
Subject: Re: KITTEN: IETF 75 - 76
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Thu, 20 Aug 2009 13:27:21 -0500
Cc: kitten at ietf.org, Shawn.Emery at sun.com
Delivered-to: kitten at core3.amsl.com
In-reply-to: <200908201800.n7KI0Uqp020684 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
References: <20090820153638.GW1043 at Sun.COM> <200908201800.n7KI0Uqp020684 at fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Thu, Aug 20, 2009 at 08:00:30PM +0200, Martin Rex wrote:
> Nicolas Williams wrote:
> > What about lifetime?  Why is that necessary?
> 
> In order to distinguish valid from expired credentials right away.

That only requires a boolean :)

> > Sure, we could put all outputs of GSS_Inquire_cred*() here.
> 
> I see a difference here.  GSS_Inquire_cred() is about _real_ credential
> handles.  The new API call is about _conceivable_ credentials which
> the mechanism does not actually need to create.

Do you mean that, for example, if you have expired Kerberos creds then
this function could still return the principal name associated with
them, even though the creds are expired?  Or that if you have no creds,
not even expired ones, but the mechanisms could derive a principal
name(s) from your local user ID, then this function could return that?

> > Heck, cred_usage seems a lot more useful that lifetime in this context.
> 
> Now that you mention it -- I would like a cred_usage INPUT parameter here!

I thought so :)

> > > But I would NOT want to require the name to be an MN here!
> > [...]
> On a Windows platform, there might be a multi-mechanism offering
> ntlm _and_ Kerberos 5.  In theory these use distinct namespaces,
> in practice, a mapping is possible if they both refer to an
> account in a W2K+ Active Directory.

That's not true in all configurations, but OK.  I'd be OK with that
provided that there was some name mapping function that, given an MN,
returns a generic NAME object that the MN can be "canonicalized" to.

> Do we want an API call that can only enumerate credentials for
> individual mechanisms, or more appropriately, an API call that can
> enumerate aggregate credentials with names from distinct namespaces.

I want an API that is mechanism/mechanism-family specific, at least as
an option.

Nico
--

References:
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams
- Re: KITTEN: IETF 75 - 76
  - From: Martin Rex

Prev by Date: Re: KITTEN: IETF 75 - 76
Next by Date: Re: KITTEN: IETF 75 - 76
Previous by thread: Re: KITTEN: IETF 75 - 76
Next by thread: Re: KITTEN: IETF 75 - 76
Index(es):
- Date
- Thread

Re: KITTEN: IETF 75 - 76

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.