Re: crypto performance and RPCSEC_GSS

From: Mike Eisler (mike@eisler.com)
Date: 12/20/02-06:31:40 PM Z

• Next message: Nicolas Williams: "Re: crypto performance and RPCSEC_GSS"
• Previous message: Brent Callaghan: "Re: crypto performance and RPCSEC_GSS"
• Maybe in reply to: Mike Eisler: "crypto performance and RPCSEC_GSS"
• Next in thread: Nicolas Williams: "Re: crypto performance and RPCSEC_GSS"
• Reply: Nicolas Williams: "Re: crypto performance and RPCSEC_GSS"

Message-ID: <3E03B66C.4070107@eisler.com>
Date: Fri, 20 Dec 2002 16:31:40 -0800
From: Mike Eisler <mike@eisler.com>
Subject: Re: crypto performance and RPCSEC_GSS

There several (non-AUTH_SYS) alternatives to use for a lightweight
identification only mechanism. I didn't intend to specify one at this time
but promise to propose something even more elegant if there's
consensus that the basic approach is what should be pursued.

 > AUTH_SYS at
 > all for this purpose, no way, because the server is already
 > mapping the
 > GSS initiator principal names to its internal identifiers and we must
 > preserve the server's ability to do so, whereas AUTH_SYS would take it
 > away (and besides, the server would have to ensure that the AUTH_SYS
 > data is valid for some established GSS context every time or
 > use it as a
 > GSS context lookup key - messy, messy).

Forgive me for my moment of weakness. Since implementors are already
willing to add krb5 to their feature set, the lightweight scheme shouldn't
be a big deal, as long as it is simple to code.

    -mre

• Next message: Nicolas Williams: "Re: crypto performance and RPCSEC_GSS"
• Previous message: Brent Callaghan: "Re: crypto performance and RPCSEC_GSS"
• Maybe in reply to: Mike Eisler: "crypto performance and RPCSEC_GSS"
• Next in thread: Nicolas Williams: "Re: crypto performance and RPCSEC_GSS"
• Reply: Nicolas Williams: "Re: crypto performance and RPCSEC_GSS"

This archive was generated by hypermail 2.1.2 : 03/04/05-01:50:45 AM Z CST