Session key extraction

Jeffrey Altman jaltman at
Mon Dec 22 19:14:19 EST 2008

My opinion is as follows:

regardless of whether you think its a good idea or a bad idea, there are
protocols that Microsoft implemented that are widely deployed and for
which it is impossible to implement the security solutions that
Microsoft developed as a incrementally better idea than what came

In order to implement this class of protocols it is necessary that
the session key be exported after gss session establishment.

The protocols are now publicly documented by Microsoft on their
developers web site.  In order for the Consortium's distribution to
be used out of the box by third parties to implement these protocols
they need this functionality.   That isn't to say that it should not
come with a note perhaps indicating that the functionality is only
for Microsoft compatibility and should not be used when designing
any new protocols.

I do not believe that it would be wise to restrict the usage to only
Microsoft implemented key types.  It is impossible to say what might
be implemented in the future.

I believe the functionality should be provided.

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list