Non-default Quality of Protection?
Tomas Kuthan
tomas.kuthan at oracle.com
Tue Nov 12 04:42:31 EST 2013
Hi all,
I am confuzzled about usefulness of the QOP concept in GSS-API.
RFC 2743 states, that using non-default QOP is a mechanism specific,
non-portable construct.
RFC 4121 says, that applications using different QOP than default are
not guaranteed portability and interoperability. It also says, that
encryption and checksum algorithms in per-message tokens are implicitly
defined by the algorithms associated with the session key or subkey and
that using different algorithm than the one for which the key is defined
may not be appropriate.
This gives me the impression, that using non-default QOPs is discouraged
and that the whole Quality of Protection concept is somewhat obsolete.
Is that so?
Do you know of a use-case (real life or hypothetical) for non-default
QOP with Kerberos GSS-API mechanism?
Does any other GSS-API mechanism make use of non-default QOPs?
Thanks,
Tomas
More information about the Kerberos
mailing list