[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Exporting gssapi context, take two

>>>>> "Kevin" == Kevin Coffman <kwc@citi.umich.edu> writes:

    >> The only problem I see with this proposal is that CFX does not
    >> have two keys for signing and sealing.  It has one context key
    >> and potentially one acceptor subkey.  Besides that, this
    >> proposal looks good to me.

    Kevin> My intention was to make it simple for the calling code and
    Kevin> simply return the derived keys to be used for signing and
    Kevin> sealing -- whether they are derived from the
    Kevin> context/session key or subkey.  Am I misunderstanding how
    Kevin> this works?

Yes, it doesn't work that way at all.

I also disagree somewhat with trying to make it easier for the calling
code.  I'd rather simply export the minimum protocol quantities for
the calling code to do its job.