GSSAPI - context lifetime
Nicolas.Williams at sun.com
Fri May 30 12:28:34 EDT 2008
On Fri, May 30, 2008 at 10:08:09AM -0600, Glenn Machin wrote:
> It appears that Heimdal sets the context lifetime to that of the ticket,
> but ignores it in wrap/unwrap. GSS_S_CONTEXT_EXPIRED is a possible
> return value so I don't know if this is in violation of the RFC.
Note: the RFC in question would be 4121, since RFC2743 does mandate that
GSS_S_CONTEXT_EXPIRED be used. RFC4120 and RFC3961/3962 would be the
places to look for key lifetime.
RFC4121 says nothing about context expiration and RFC2743 doesn't have
enough text from which to guess what the right behaviour would be for
any one mechanism.
Therefore implementors are left to guess what to do here. It's not
surprising that two implementors chose different behaviours.
> From the discussion on this email thread its clear that the checking of
> the context lifetime in wrap/unwrap is a usability issue.
> So can we just ignore the context lifetime in the wrap/unwrap? It seems
> to me that would have less of an impact to applications.
I support this. What about key usage though? The obvious advice here
is: use AES. But what should the mechanism do when the key is 1DES and
the app is doing bulk, high bandwidth data transfers?
More information about the krbdev