[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    Re: RPCSEC_GSSv3: extensions for process labeling, etc...
From:       Shawn M Emery <Shawn.Emery () Sun ! COM>
Date:       2009-01-14 0:38:05
Message-ID: 496D33ED.6080703 () sun ! com
[Download RAW message or body]

Nicolas Williams wrote:
> I finally wrote an [individual submission] Internet-Draft for dealing
> with process security labels in NFSv4 (and other ONC RPC protocols):
>
> http://www.ietf.org/internet-drafts/draft-williams-rpcsecgssv3-00.txt
>
> The goal is to get the IETF NFSv4 WG to take on the work.  If the WG
> takes this on I'll need an editor and/or co-author to see this through
> to publication as an RFC.
>
> In the meantime, review from the OpenSolaris security community would be
> useful.  Comments specific to OpenSolaris should be made on this list,
> while general comments should probably be made on the IETF NFSv4 WG list
> (nfsv4@ietf.org).
>
> Features of RPCSEC_GSSv3:
>
>  - compound authentication of client host and user to server
>     - needed to provide servers with assurance of client ID in order to
>       evaluate process credentials assertions while still retaining user
>       authentication
>  - process credentials assertions
>     - security labels
>     - privileges (app-specific)
>     - identity (app-specific; think: replacement for AUTH_SYS that uses
>       name@domain on the wire, plus GSS-API for client auth!)
>  - channel binding (without a hash function)
>
> Comments?
>   

Maybe out of scope for your draft, but again it is a v3 specification 
and was something I brought up during the RPCv2 bis sec review expecting 
them not to radically change their draft:

Verifiers could also be useful in some cases in reply messages that are 
not accepted by the server.  This is useful when preventing a DoS attack 
on clients.  It would be up to the GSS mechanism to determine how to do 
this if at all possible.

Shawn.
--
_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]