Re: GSS-API SRP mech (was Re: retrying keyex ...)

To: "Joseph Salowey" <jsalowey%cisco.com@localhost>
Subject: Re: GSS-API SRP mech (was Re: retrying keyex ...)
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Wed, 16 Jul 2003 18:02:31 -0400

> I believe 
>
> http://www.ietf.org/internet-drafts/draft-burdis-cat-srp-sasl-08.txt
>
> Is an SRP SASL mechanism that also uses GSSAPI framing, perhaps this is
> enough (I haven't looked at it yet).

It appears that that by itself doesn't provide integrity protection,
and draft-ietf-secsh-gsskeyex says:

   The key exchange method described in section 1 of this document
   depends on the underlying GSSAPI mechanism to provide both mutual
   authentication and per-message integrity services.  If either of
   these features is not supported by a particular GSSAPI mechanism, or
   by a particular implementation of a GSSAPI mechanism, then the key
   exchange is not secure and MUST fail.

In theory, you can use that SASL mechanism with an intergrity
protection layer.  In practice, since it appears that the SASL SRP
mechanism basically does the things you want a Secure Shell key
exchange to accomplish, it may be better to define a new Secure Shell
key exchange algorithm to support SRP.

However, this is probably a mostly academic discussion at the moment,
due to IPR issues related to SRP.  Fortunately, patents do expire
eventually.

Follow-Ups:
- Re: GSS-API SRP mech (was Re: retrying keyex ...)
  - From: Tom Wu

References:
- RE: GSS-API SRP mech (was Re: retrying keyex ...)
  - From: Joseph Salowey

Prev by Date: RE: GSS-API SRP mech (was Re: retrying keyex ...)
Next by Date: Re: GSS-API SRP mech (was Re: retrying keyex ...)
Previous by Thread: RE: GSS-API SRP mech (was Re: retrying keyex ...)
Next by Thread: Re: GSS-API SRP mech (was Re: retrying keyex ...)
Indexes:

Home | Main Index | Thread Index | Old Index