[prev in list] [next in list] [prev in thread] [next in thread]
List: opensolaris-security-discuss
Subject: Re: RPCSEC_GSSv3: extensions for process labeling, etc...
From: Shawn M Emery <Shawn.Emery () Sun ! COM>
Date: 2009-01-14 0:38:05
Message-ID: 496D33ED.6080703 () sun ! com
[Download RAW message or body]
Nicolas Williams wrote:
> I finally wrote an [individual submission] Internet-Draft for dealing
> with process security labels in NFSv4 (and other ONC RPC protocols):
>
> http://www.ietf.org/internet-drafts/draft-williams-rpcsecgssv3-00.txt
>
> The goal is to get the IETF NFSv4 WG to take on the work. If the WG
> takes this on I'll need an editor and/or co-author to see this through
> to publication as an RFC.
>
> In the meantime, review from the OpenSolaris security community would be
> useful. Comments specific to OpenSolaris should be made on this list,
> while general comments should probably be made on the IETF NFSv4 WG list
> (nfsv4@ietf.org).
>
> Features of RPCSEC_GSSv3:
>
> - compound authentication of client host and user to server
> - needed to provide servers with assurance of client ID in order to
> evaluate process credentials assertions while still retaining user
> authentication
> - process credentials assertions
> - security labels
> - privileges (app-specific)
> - identity (app-specific; think: replacement for AUTH_SYS that uses
> name@domain on the wire, plus GSS-API for client auth!)
> - channel binding (without a hash function)
>
> Comments?
>
Maybe out of scope for your draft, but again it is a v3 specification
and was something I brought up during the RPCv2 bis sec review expecting
them not to radically change their draft:
Verifiers could also be useful in some cases in reply messages that are
not accepted by the server. This is useful when preventing a DoS attack
on clients. It would be up to the GSS mechanism to determine how to do
this if at all possible.
Shawn.
--
_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic