PROXY tickets and GSSAPI
Douglas E. Engert
deengert at anl.gov
Thu Jun 27 11:34:00 EDT 2002
Nicolas Williams wrote:
>
> On Wed, Jun 26, 2002 at 04:55:52PM -0500, Douglas E. Engert wrote:
> > The problem is the GSSPAI only has a single delegte flag, which is used
> > for delegting a TGT. which is also forwardable.
> >
> > The GSSAPi extensions we are proposing at the GGF next month might address
> > this problem, by allowing more input to the GSS delegtion process, including
> > delegation at any time.
>
> Unless the GGF extensions also include new GSS messages/APIs for
> delegating credentials without re-authenticating (i.e., using a sec
> context that is established and un-expired) then proxy tickets will
> remain useless.
Yes it does. The GGF is in 4 week, and we are revision the draft of other
issues. See http://www.gridforum.org/2_SEC/GSI.htm
>
> Ideally a message/API would also be specified by which an acceptor can
> ask an initiator, on demand, to delegate more creds.
>
> But then you get into other issues, such as: noone will be able to use
> such new messages without re-specifying the way their protocols use GSS.
True. Globus is headed that way.
>
> GSS was never meant (apparently) to provide session framing - it will be
> difficult to intorudce that now (particularly when SSHv2 and TLS both
> provide some of that, SSHv2 being rather comprehensive).
>
> Cheers,
>
> Nico
> --
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named. If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail. Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission. If
> verification is required please request a hard-copy version. This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list