Session key extraction

Greg Hudson ghudson at MIT.EDU
Mon Dec 22 23:04:23 EST 2008

On Mon, 2008-12-22 at 19:14 -0500, Jeffrey Altman wrote:
> The protocols are now publicly documented by Microsoft on their
> developers web site.  In order for the Consortium's distribution to
> be used out of the box by third parties to implement these protocols
> they need this functionality.   That isn't to say that it should not
> come with a note perhaps indicating that the functionality is only
> for Microsoft compatibility and should not be used when designing
> any new protocols.

I think that's the consensus of this discussion.  (That is, provide the
interface, but document it as being purely for compatibility with SSPI.)

> I do not believe that it would be wise to restrict the usage to only
> Microsoft implemented key types.  It is impossible to say what might
> be implemented in the future.

If there is any ambiguity about what key to return for a given
mechanism, we are much safer if we do *not* implement key export for a
mechanism before Microsoft does.  It's much better to be stuck in the
situation of "SSPI provides X, we provide nothing" than to be stuck in
the situation of "SSPI provides X, we provide Y."  The former is easily
fixable; the latter is much harder.

More information about the krbdev mailing list