Session key extraction
jaltman at secure-endpoints.com
Mon Dec 22 23:46:36 EST 2008
Greg Hudson wrote:
> If there is any ambiguity about what key to return for a given
> mechanism, we are much safer if we do *not* implement key export for a
> mechanism before Microsoft does. It's much better to be stuck in the
> situation of "SSPI provides X, we provide nothing" than to be stuck in
> the situation of "SSPI provides X, we provide Y." The former is easily
> fixable; the latter is much harder.
That is a good point but it leaves developers and administrators
in a very awkward position of ensuring that only MSFT implemented key
types are negotiated for a context that might require a key export.
A better approach if you are unsure of what to implement would be to
discuss the situation with your board member and come to an agreement
on what the implementation should be.
More information about the krbdev