On Sat, 2005-09-10 at 18:38 -0400, Ken Raeburn wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sep 10, 2005, at 02:09, Andrew Bartlett wrote: > > Sadly it is a mistake that DCE/RPC forces on us: While I presume you > > could simply expand the data portion for the full wrapped data, > > Microsoft chose to place the signature in the traditional place, > > separate from the main data. We have to be compatible with that. > [...] > > As such, I'm in a no-win situation, and took the least ugly way > > out :-) > > Pragmatically, yes, it sounds like you're stuck implementing > something along these lines. But I think it would be a bit less ugly > if the naming made it clear that it's a DCE/RPC thing, not a general > GSSAPI thing. DCE/RPC isn't GSSAPI. Likewise for gss_wrap_ex, if it > separates the signature, though I could certainly see AEAD being a > useful GSSAPI addition (and wish we'd had time to properly consider > it for RFC 3961 -- Kerberos cryptosystems -- as well). Any suggestions as to the name? While the particular need here is for DCE/RPC, I imagine it is not the only framing that is painful in this respect... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part