Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Remember: Silly is a state of Mind, Stupid is a way of Life. -- Dave Butler

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationNico Williams

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.24.1698349225.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=400&group=comp.protocols.kerberos#400

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!rocksolid2!i2pn.org!news.chmurka.net!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nic...@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 14:40:06 -0500
Organization: TNet Consulting
Lines: 71
Message-ID: <mailman.24.1698349225.2263420.kerberos@mit.edu>
References: <3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
<ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="3043"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=h5dNzeni;
dkim=pass (2048-bit key,
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=MMqr/7Fh
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=cryptonector.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698349223; cv=pass;
b=QPlbHsfFFbzFlC9DK7twhz9c9Iq/nzffcO58J8SkLLS5DDPE+bHstijdL3Zpxk1ylfrooUl1j+NBYuT6MY+2vqT1Qhz/hSD7jzquPKxqA5/niiUHey0bzf82swEWe78qI3dFvkhFaqUA/KrACadOLZoqx9kisgUTUEzX3+rlDM4XzRCGC//+Xaca9GftebHGcKPjW3lJ0lakPAJvz8BsJOmUt50zA9UUaF+CpEWJFLXkjLVhgcDf9rdnN+IoO/PDUkh3MV6ZAkjRMWRcshCfEdc462FEGskkh+hvlT3+Z3iLj10+5dxhqOReoB/h+u1qgEeMrqH7QLMMd4FcHwGFLQ==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698349223;
c=relaxed/relaxed; bh=mXz4QfjOfV76IY5NMUC5Wtf5ZLD9LPIofY0IQBsEnBo=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=CRZCOH/JGRO0SdPF3wid/4zCnVEKu66DmxTL6n7UcgNtqOlapoLun/IsZQtzcwVxSnLz2jt0AzVxuOkGKwWhe+kqsxWiyApDWyv8+Ql/ZTkRjOcns/HiLSV0H5+5X15Z7YlyS28sEP/1sPChOv27VxRF+7L+ug2E6Fno/z9bO2Mue30GSUJStqpulMUzVbiRbu8SAy+gNL+57vwio+kZqjSf1fuiDDsEwsUDoXaUMQkZuNGhhNocCiSDuiqGbCEMmfr2aD5lwWBHEnulUvnZVMGFuDqJJpLbP+H9PHG7qxj8o07vlwX3mPneOubKOiExONtberqIq+MfacFMUodivQ==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=h5dNzeni;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=MMqr/7Fh
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=h5dNzeni;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=MMqr/7Fh
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=nQ4zBVRIc7gV9ad3a/3U8YX1NSBHuzXtpXp/l5ricJfeYRJRyzm4w9H3/V16WCychPudJq3Bn9Bzp+yxRTFSdOoNu62In8CEqBLJt72Ca7m6F7nayzNMpacSD/cg5hL18T1KXuPqARTVCNtypFR7Erm9XxUNDdXC7lp+FhiXK9k9bIpnbfadE95F2IQzmKVeIBPuGXdvp7Lqc21iYFCAC48PsqJnubEp48Khgcr5+dyu8RN34UOEGNijzMhaiXHHb/O0aTF5mrwcSdT+zGQYGbVT4/2ZEDKd/O0bRZZfzQGydE0unrKKH/sWjyMbx0rR8jJDiZBSEw2mqp0PtG+XtA==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=mXz4QfjOfV76IY5NMUC5Wtf5ZLD9LPIofY0IQBsEnBo=;
b=P8b0ehia1Lq7hq6pXwWjfyld3gPyvCRdJxPNzoY0Mp3GqFX8wB47YBc2bQz8LAmR89z9OaOKMzgBuEYqbvBoTF6d05Qe2fi3TgBjFY5OjL4T17DA8EkvIY2U4FKoe8YqNtJAytJpzJSleyoerC3/WMkZ5e/yJyyoUqFiqxvOuG12RIcntjAD4Kp+sNLBQ1RbCR2iMD7g7torjp8tk/xoUVgOCPydn1O3+YkiS3nsoSwkRXhuLrmXQ6566RtdKkWhE/peMWzG4plK2a0uLg1SnwnrKgHVUhTZP8308Ovb6dmW65EQzFLAZlCHFdZ1NthSCoBOWHL+YwvZZ5QwWs/Hlg==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.212.18) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=mXz4QfjOfV76IY5NMUC5Wtf5ZLD9LPIofY0IQBsEnBo=;
b=h5dNzeni5MbaqgXGqobSeU4cSKu7YWKrnMq231lmO8sMAONrDrT2lSspIe4uMWwgN+urDOxLYRo1RwRcTqifa5MWmsNl1gJW8+BPpX1673wKwjO4ek9Vn4YMCZ7R5AIM5K7fomB/T9ZXaHVlLLfXW0+D4Bp+/Cj5wFxsHTFXTBs=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=CFUruNOF1Tzz+m0Hj7smkJkT9b3g9UXiGrVSeoU1BaLczWh7skmcTRQf5GLrwogVKsAGsbfsfRmE8UuYpe1VM430T7KI8P6kEddAQPIAfZ0Q6kSm/D5rjFW0AOtYlb9K+eMRrVKu+7h/LG6A1vsO/E/40QWnlQ3QoGrJh9fgbc7nS6ODX+93gVlmk+KQPvcaWGu5pOhyj0Hw/t0jVcu857n+jaKn35w4TWiT/a4ENsucL874pLz4wdR1gWrLHMarx+DLlQEYib7nt1xh8NsCRq88J9Y1PHpK9MRu1fW5TihjSoeCQ7Jq+5rCOviY0FA0s/stheB+uOIF2xx4IqXEjQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=mXz4QfjOfV76IY5NMUC5Wtf5ZLD9LPIofY0IQBsEnBo=;
b=Q9vq97yy0wL0FrJXpz/2zdF72i+S8s/Cek6MIEKxavIGmfBpzky/vnG97VySJtbAtLgLfvRD11DF5zicGxEriWQsZwja/UxnHbYzQdKfkWt4ph/GLL6K804ZHj8A6/r4ovCKqtdQARokAaze6OblfpzPTB9k0lJW9QVfDNTTfA9yO5MWunQkXmYZPyJnN0y7M8fp6lvu29vPO1VM58rLMSUefJ0VYJD/blj6W8GPNlZUiKhVRf+cP9KHQEC0Ciw0lPcdOyQhh5322Qkjavr6P2HZ4PUt5gDACUybZxQSpu7EeVyc99AQZl34mavuK5HR7MWk3q50hzXBEfhuMSxRWQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.212.18) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.212.18)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.212.18 as permitted sender) receiver=protection.outlook.com;
client-ip=23.83.212.18; helo=bisque.elm.relay.mailchannels.net; pr=C
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698349209; a=rsa-sha256;
cv=none;
b=CKkjlNontAQuBtdgBWVJAjxsDmuNV8/bZqdJou4YmJbQGUiHVA2PMXEYFp9nhBy5zlo1VT
tgU0lMd8EsIYqPaj+qMvNSkGb9CA60Zvjed7cEkF9FsgT6j9qUWknR/AsoHM40z4E+Bpro
kdZ8OzFkkgZsA6hgyHx44Mfw8IN2FzU5BZ3zWs0wg7YC67H2p9uAgN7IYPGycYrT0FUo9d
npoviaQEyqJJ/qd7pngREczB7gVBW/wecrPUcKrBep31Ux2dmvmniuTMvv7Y52AByZbi8F
QtgIyHdIcICEvylxOaqi5cFyjuvCkqhCWFrh7BVVJ3apP/2IBWITW6VWXRzd4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698349209;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=mXz4QfjOfV76IY5NMUC5Wtf5ZLD9LPIofY0IQBsEnBo=;
b=yV3aZXSkQFfJQ6LbrEdAECFg0UY2Or3gEcyi9bBHO6NfY32xVzf9s8nstc/FLLRVPtrw+N
YpUaIzSAGGPdlt3zIBiqh2NkWe0+bt4yZkD8fdAmTkyWenj0N9qMLAE/91maEdHEVKuS7Q
KqU4BMQsQa3Rb7pWhO+qIplRdRnEa1R89WEYxV2p8DqXetIvUS6M+yueSibZzXUh65JV8Q
zzX/gf6hHKJXHscc6WS+W+6mnaH5uHaB0T31ZPpW+m31Ilp477kawlzTeF64DyNAf8251A
tO1ck9lurjJE0v8gG+sHuV9BSoGBHU/xlggCNKFNVeBc8wA4aFP6G+e3uz4DxA==
ARC-Authentication-Results: i=1; rspamd-86646d89b6-wxj67;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Vacuous-Industry: 1fd190db6f051549_1698349209400_3699615746
X-MC-Loop-Signature: 1698349209400:1499181992
X-MC-Ingress-Time: 1698349209400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698349209;
bh=mXz4QfjOfV76IY5NMUC5Wtf5ZLD9LPIofY0IQBsEnBo=;
h=Date:From:To:Cc:Subject:Content-Type;
b=MMqr/7FhV8Nb+m78NQwadKQNQ8/p8HemVqNmXnudGLYwM1YCks5pG7zEcJqEPYg9D
2/Aw3qjNI/c9qn5thdRPjGVFtRYDTeOJAWGlbQlPv+hDFsJLgcHGI8Vu3DujHTUu3T
+SzhpPkXqD/PFWsPttd1fpjCjOMnGg3eTta/FSCP/G7tSsLUh1oifoy3zrMOlkg30I
+QCzXk/80mRdS3oEbItPNW3x+WIV5UpngqGnk2ppEt2HFB9ZIiKMvZaBYCnzI+ENUc
5IB6nwzHAc2LYGjjq8MwXRro2DnFEx4D4i/IjE67fSMqJB+1cLC2ZC6GM11/Z4Dn6q
6a4lz3FVXu4hA==
Content-Disposition: inline
In-Reply-To: <202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SA2PEPF000015C8:EE_|PH0PR01MB6602:EE_
X-MS-Office365-Filtering-Correlation-Id: ae8ffeb1-99a1-4c89-0b8b-08dbd65b5ddb
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 8nDS8pA9JzYeJWxQd4j8f8D2mjSN+xZ67fgR4znU44Q7QsFviQs66d+CjDr8iuTCkQt73o4RAvMnHYdmBqclghOaDU+JPuBeLW0ny0e9cLSJ5AQo462EEksHdQYE+v3P3GPAt0T39+EfNPhGr1eWczXst3qAgSxrisufP1izllNKPnTpTlG6eDOxqCVfZsfba6C5XAdsDCMLhNnOEUTXyt1fjeTriXED5tJJvGZAB0w2acPE57jU22zBi+hNR0loXWfYWd7l5e6Lw7Yuj0ZjlIF9IDWtbcmd7EJtiNIqd7pcM2UhPXSNafdkKMgTA+MCyvSAaGKsaae9mNbr+KWkVRt6/lLE4W6iK3yhJnTy+5W+aXJue6nChYoLrhairUf/792V3v+NiTCKdePZji3u8/hynaOiajQRn2Ff1auAztuTA43+q+ofqkmadqItXzbPN1WWAUjbIEGjCSEbz1+6lJVozCEURyPx+d7wxoWYvofRip/bBrQ4kD/qkN4xfLPiTRu9ZpDHeFrXA4FvH9Om2QFBf6gWiTMEZqCy0yrycujzaks8syvK+E62MFXx2XIdtpqbVeAaJkDiBL4aZWxZqAi59LO4NuTa79xGytfSZDat9xRmOdFJ0SITEWEqPDTSNtTxZg7Ton41rkPvpwXqrdb4KA3z+Sxrcc8ox+v/lPrKrk7lE/crL7Ot+AmEPTklEsgUMukEznOgo8xaLQb1LA==
X-Forefront-Antispam-Report: CIP:23.83.212.18; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:bisque.elm.relay.mailchannels.net;
PTR:bisque.elm.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(376002)(39860400002)(136003)(346002)(396003)(64100799003)(451199024)(48200799006)(61400799006)(33716001)(66899024)(2906002)(5660300002)(86362001)(9576002)(55016003)(6862004)(8676002)(4326008)(7596003)(26005)(498600001)(7636003)(356005)(956004)(786003)(70586007)(316002)(68406010)(83380400001)(45080400002)(336012)(9686003)(6266002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 19:40:10.4467 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ae8ffeb1-99a1-4c89-0b8b-08dbd65b5ddb
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SA2PEPF000015C8.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6602
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTrAlh0a/+Vq5P4f@ubby21>
X-Mailman-Original-References: <3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
<ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
 by: Nico Williams - Thu, 26 Oct 2023 19:40 UTC

On Thu, Oct 26, 2023 at 02:38:47PM -0400, Ken Hornstein via Kerberos wrote:
> [...]

Kerberos is becoming less relevant in general because for most apps
running over TLS and using bearer tokens over TLS is Good Enough and
also Much Easier Than Using Kerberos (whether directly or via GSS).
That means that GSS too is becoming less relevant.

On the other hand you still have Microsoft's Active Directory insisting
on Kerberos, and you still have a lack of support for SSHv2 w/ bearer
tokens, and you yourself might not even have a bearer token issuer
infrastructure you could use if SSHv2 could support it.

So what can you do? Well, you could build an online kerberized CA that
vends short-lived OpenSSH-style certificates, then use that for SSH.

Perhaps you'll find that easier to do than to send a PR for hard-coding
mechanism OID->name mappings, and even if not, you may find it better
for the long term anyways because it's fewer patches to maintain.

Though credential delegation becomes hairy since all you can do then is
ssh-agent forwarding, and if you need Kerberos credentials on the target
end well, you won't get them unless you build yet another bridge where
you have your online kerberized CA vend certificates for use with PKINIT
so that you can kinit w/ PKINIT using a private key accessed over the
forwarded ssh-agent.

I'm a big proponent of authentication protocol bridging. I've written
an online kerberized CA in Heimdal, though that one doesn't [yet] vend
OpenSSH-style certificates. One site I'm familiar with has a kerberized
JWT, OIDC, and PKIX certificate issuer, and they support PKINIT, so they
can and do bridge all the tokens and all the Kerberos realms and all the
PKIX and soon OpenSSH CAs.

It's nice to not have to patch all the things and contribute patches
upstream. Though because there's no open source universal authen.
credential issuer bridge available the price one pays for not patching
all the things is the cost of building and maintaining such a bridge.
(The cost of operating such a bridge need not be significantly different
from the cost of operating distinct JWT, OIDC, PKIX, and Kerberos
issuers.)

> >We accept PRs.
>
> I am SO many levels down from the people that manage the licenses that
> figuring out how to file a PR upwards through the various levels of the
> DoD would probably take me a few days (I don't have to convince RedHat
> there's a problem, I have to convince those gatekeepers that there's
> a problem first, that's where things go sideways). And those people are
> the kind of people that as soon as the hear "MD5" and "FIPS mode" in
> the same sentence, they're going to say, "THAT'S NOT ALLOWED".

I feel you. I have had to deal with this sort of audit issue myself,
and it's always a pain to convince an auditor that some particular thing
that their book says is verboten is not security-relevant in this one
case and should be permitted. I don't have the cycles to go do the
hard-coding you need to satisfy your auditors. It's not that I don't
care about that problem -- after all, I might have it myself eventually
w.r.t. GSS-KEYEX. It's that I only touch GSS-KEYEX code once per
biennium, and right now is not that time for me and I'm full up with
other things. If now were that time I might add a table of OID->name
mappings and have a ./configure switch for enabling (or disabling) use
of MD5 for generating names for OIDs not included in that list.

Therefore I have no problem with you not using SSHv2 GSS-KEYEX.

Perhaps someone else wants to volunteer to solve your problem _now_
rather than later, but unfortunately it can't be me, not right now.

Nico
--

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor