Creating a new pre-authentication plugin

Nico Williams nico at cryptonector.com
Wed Aug 1 22:36:55 EDT 2012 

On Wed, Aug 1, 2012 at 9:25 PM, Luke Howard <lukeh at padl.com> wrote:
>> I believe statelessness here requires that each hop be able to be
>> performed against different KDCs.  This is important to me and to
>> others.  I recommend you pursue the exported partially established
>> security context token approach to retain statelessness, which I think
>> is eminently feasible (and would benefit us all in other ways).
>
> Right, and if the immediate target is GSS EAP, then the Moonshot implementation already supports partial context export on the acceptor side. It might be nice if there was a way of negotiating whether this was supported within the protocol, so that for other GSS mechanisms the client could be bound to a single KDC (but I suppose this is difficult to do with stacked mechanisms).

There's no need to negotiate: the acceptor being the only one that
needs to do the exporting, it either succeeds or fails, and if the
latter then it could tell the client.  HOWEVER, I think I object to
even this fallback-to-stateful approach.  I want the KDC protocols to
be stateless because a) many client libraries are so structured and
would require significant surgery to be able to cope with a change to
statefulness, b) IAKERB proxies have no way to handle statefulness
since they don't expect it, the protocol has no way for the KDC to
indicate it, and it's too late for a client to request it by the time
it might find out that it needs it, plus any existing IAKERB proxies
simply could not possibly handle statefulness no matter what
extensions to IAKERB we might pursue, c) statelessness is a great
simplification for clients (see (a)) that I'd not want to abandon even
if we could go fix all of the existing clients.

I think statefulness might be useful for a prototype or otherwise
during development, but it must not ship that way.  If, as Luke says,
GSS-EAP is the mechanism that you have in mind, and since it already
supports partially established sec context export, then I don't think
you need statefulness even during development nor for a prototype.

Nico

PS: IIRC I used to be much less stronglly in favor of statelessnes.

More information about the krbdev mailing list