GSSAPI - context lifetime
Nicolas.Williams at sun.com
Fri May 30 20:33:04 EDT 2008
On Fri, May 30, 2008 at 03:00:38PM -0600, Machin, Glenn D wrote:
> > What about key usage though? The obvious advice here
> > is: use AES. But what should the mechanism do when the key
> > is 1DES and
> > the app is doing bulk, high bandwidth data transfers?
> I don't think that this is something that wrap/unwrap needs to be
> concerned with. First only the application can determine how much data
> will be moved during the session. Then if you change the behavior of
The issue isn't how much data _will_ the app move, but how much data
_has been_ moved.
> the code based upon the key type, you could create all sorts of
> confusion to the end user. My gssftp of 2 large files works from
> system A to system B but not from system A to system C, all because A
> to B used AES and A to C used DES.
I agree. It'd be better to just have a minor status code to indicate
key overuse while still indicating overall success.
More information about the krbdev