[kitten] Proposed GSS extension for explicit credential stores
Nico Williams <nico@cryptonector.com> Tue, 03 April 2012 04:56 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69EB321F8577 for <kitten@ietfa.amsl.com>; Mon, 2 Apr 2012 21:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.437
X-Spam-Level:
X-Spam-Status: No, score=0.437 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4PPpd3LnM2fX for <kitten@ietfa.amsl.com>; Mon, 2 Apr 2012 21:56:43 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by ietfa.amsl.com (Postfix) with ESMTP id 9FD9F21F842F for <kitten@ietf.org>; Mon, 2 Apr 2012 21:56:43 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 3ED3494064 for <kitten@ietf.org>; Mon, 2 Apr 2012 21:56:43 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=mq9Ibm8QQ1bXudGkP2BawsQWk6cZNEye0b0qvdzqd2Qu mHJoc9XIioqTfhSaP9xXakvR6Jm6xgqL//imAv9aTYZG8rTM/ReMVXFnZeNrynO7 PULE4PHp1lW9RVBoMvpifVDbUXxqqmvJhM3Osc/Ec3zxLmlAK+woGLq0j/8rhU8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:content-type:content-transfer-encoding; s=cryptonector.com; bh=pFktajoVsfhBOWhCGhBiz4CdwlI=; b=i7y24ksnLEJYFSIekiyOMcFvmoyt ZZHfrjXKw/LY3XDJB1GSnRZBo8psCRNtnD0mseBXwj/tbZ6n+O5/a6DzJU1iBhQI M+toBLGBznZb7FWaWKS0XaRjB6qP0jippD4s3FVONfmSeyRi4ze6gYFc+/fQU6hH nxvjsBvvHVkTNyI=
Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 288729405C for <kitten@ietf.org>; Mon, 2 Apr 2012 21:56:43 -0700 (PDT)
Received: by dady13 with SMTP id y13so4225514dad.27 for <kitten@ietf.org>; Mon, 02 Apr 2012 21:56:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.132.99 with SMTP id ot3mr25637783pbb.160.1333429002556; Mon, 02 Apr 2012 21:56:42 -0700 (PDT)
Received: by 10.68.28.6 with HTTP; Mon, 2 Apr 2012 21:56:42 -0700 (PDT)
In-Reply-To: <CAK3OfOgh7TvkxvdtsNvNHn9YMTgWa_1aJ4=ozkrujvHxG8K0-Q@mail.gmail.com>
References: <CAK3OfOgh7TvkxvdtsNvNHn9YMTgWa_1aJ4=ozkrujvHxG8K0-Q@mail.gmail.com>
Date: Mon, 02 Apr 2012 23:56:42 -0500
Message-ID: <CAK3OfOg5NEc5coye1jPNdQ_X1J0SWdRxo_cG58ozCkLL23izjg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: [kitten] Proposed GSS extension for explicit credential stores
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 04:56:44 -0000
Simo and I have a need for extensions for acquiring credentials from, and storing credentials into, an explicit credential store as opposed to the one implied by process credentials/context/environment. For some use cases it is possible to get by without this extension by just forking/spawning processes that can change their process credentials and/or environment variables to change their implicit credential store. I understand that this argument will come up. But this is not a great solution for us. Particularly since it is not a portable and generic solution. The solution we propose will still involve some elements that are not entirely generic or portable, but these elements are abstracted into key/value pairs that are easily configured, thus the resulting applications themselves should be generic and portable. The new functions are: - GSS_Acquire_cred_from() - GSS_Add_cred_from() - GSS_Store_cred_into() These are just like the existing functions that they are based on, but with one additional argument: a credential store. The credential store is just an ordered set of key/value pairs where the keys are URNs (as opposed to OIDs) and the values are octet strings with formats given by the keys. In the C bindings the credential store looks like this: typedef struct gss_cred_store_element_struct { const char *urn; const char *value; } gss_cred_store_element, *gss_cred_store_element_t; typedef const struct gss_cred_store_element *gss_const_cred_store_element_t; typedef struct gss_cred_store_struct { OM_uint32 count; gss_const_cred_store_element_t *elements; } gss_cred_store, *gss_cred_store_t; typedef const struct gss_cred_store_struct *gss_const_cred_store_t; Note the use of the C const keyword. The abstract API representation of this would probably be SET OF SEQUENCE { element_type_urn OCTET STRING, element OCTET STRING } or perhaps just "CREDENTIAL STORE". Note that RFC2743 has types with that much structure, namely: OID sets, or at least the C bindings of OID SET have that much structure. URNs will be provided for at least the following: - ccache values Values will be of the form [<TYPE>:]<ccache-path-or-id>, such as the familiar "FILE:/tmp/somecc" but also "LSA:" and "CCAPI:...". - keytab values Same as with ccache values, but naming a keytab. We'll probably provide URNs for other store element types, such as: - PKCS#11 URI See http://tools.ietf.org/html/draft-pechanec-pkcs11uri-06 We have debated, but not reached a conclusion, other possible element types such as: - User-ID, username - AFS PAG The complete C bindings would be: +/* Extension for credential stores */ +typedef struct gss_cred_store_element_struct { + const char *urn; + const char *value; +} gss_cred_store_element, *gss_cred_store_element_t; +typedef const struct gss_cred_store_element *gss_const_cred_store_element_t; + +typedef struct gss_cred_store_struct { + OM_uint32 count; + gss_const_cred_store_element_t *elements; +} gss_cred_store, *gss_cred_store_t; +typedef const struct gss_cred_store_struct *gss_const_cred_store_t; +#define GSS_C_NO_CRED_STORE ((gss_const_cred_store_t) 0) +OM_uint32 gss_acquire_cred_from( + OM_uint32 *minor_status*, + const gss_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_const_cred_store_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec); +OM_uint32 gss_add_cred_from ( + OM_uint32 *minor_status, + const gss_cred_id_t input_cred_handle, + const gss_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_const_cred_store_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec); +OM_uint32 gss_store_cred_into( + OM_uint32 *minor_status, + gss_cred_id_t input_cred_handle, + gss_cred_usage_t cred_usage, + const gss_OID desired_mech, + OM_uint32 overwrite_cred, + OM_uint32 default_cred, + gss_const_cred_store_t cred_store, + gss_OID_set *elements_stored, + gss_cred_usage_t *cred_usage_stored); Comments? Nico --
- [kitten] Proposed GSS extension for explicit cred… Nico Williams
- Re: [kitten] Proposed GSS extension for explicit … Simon Josefsson
- Re: [kitten] Proposed GSS extension for explicit … Simo Sorce
- Re: [kitten] Proposed GSS extension for explicit … Nico Williams