[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAMBA4][PATCH] Fix up AES sign/seal on DCE/RPC

On Sat, 2005-09-10 at 18:38 -0400, Ken Raeburn wrote:
> Hash: SHA1
> On Sep 10, 2005, at 02:09, Andrew Bartlett wrote:
> > Sadly it is a mistake that DCE/RPC forces on us:  While I presume you
> > could simply expand the data portion for the full wrapped data,
> > Microsoft chose to place the signature in the traditional place,
> > separate from the main data.  We have to be compatible with that.
> [...]
> > As such, I'm in a no-win situation, and took the least ugly way  
> > out :-)
> Pragmatically, yes, it sounds like you're stuck implementing  
> something along these lines.  But I think it would be a bit less ugly  
> if the naming made it clear that it's a DCE/RPC thing, not a general  
> GSSAPI thing.  DCE/RPC isn't GSSAPI.  Likewise for gss_wrap_ex, if it  
> separates the signature, though I could certainly see AEAD being a  
> useful GSSAPI addition (and wish we'd had time to properly consider  
> it for RFC 3961 -- Kerberos cryptosystems -- as well).

Any suggestions as to the name?  While the particular need here is for
DCE/RPC, I imagine it is not the only framing that is painful in this

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part