GSSAPI - context lifetime

Nicolas Williams Nicolas.Williams at
Fri May 30 20:33:04 EDT 2008

On Fri, May 30, 2008 at 03:00:38PM -0600, Machin, Glenn D wrote:
> > What about key usage though?  The obvious advice here
> > is: use AES.  But what should the mechanism do when the key
> > is 1DES and
> > the app is doing bulk, high bandwidth data transfers?
> I don't think that this is something that wrap/unwrap needs to be
> concerned with. First only the application can determine how much data
> will be moved during the session. Then if you change the behavior of

The issue isn't how much data _will_ the app move, but how much data
_has been_ moved.

> the code based upon the key type, you could create all sorts of
> confusion to the end user.  My gssftp of 2 large files works from
> system A to system B but not from system A to system C, all because A
> to B used AES and A to C used DES.

I agree.  It'd be better to just have a minor status code to indicate
key overuse while still indicating overall success.

More information about the krbdev mailing list