Exporting gssapi context, take two

Sam Hartman hartmans at MIT.EDU
Fri Apr 16 13:58:25 EDT 2004

>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:

    >> The only problem I see with this proposal is that CFX does not
    >> have two keys for signing and sealing.  It has one context key
    >> and potentially one acceptor subkey.  Besides that, this
    >> proposal looks good to me.

    Kevin> My intention was to make it simple for the calling code and
    Kevin> simply return the derived keys to be used for signing and
    Kevin> sealing -- whether they are derived from the
    Kevin> context/session key or subkey.  Am I misunderstanding how
    Kevin> this works?

Yes, it doesn't work that way at all.

I also disagree somewhat with trying to make it easier for the calling
code.  I'd rather simply export the minimum protocol quantities for
the calling code to do its job.

More information about the krbdev mailing list