On Tue, Sep 14, 2010 at 02:07:09AM +0200, Luke Howard wrote:
> So, right now, the enctype is encoded into the OID, so you can
> actually pick any supported enctype:
>
> % cat /usr/local/etc/gss/mech
> eap 1.3.6.1.4.1.5322.21.1 libmech_eap.dylib
> eap-des3-cbc-sha1 1.3.6.1.4.1.5322.21.1.16 libmech_eap.dylib
> eap-aes128 1.3.6.1.4.1.5322.21.1.17 libmech_eap.dylib
> eap-aes256 1.3.6.1.4.1.5322.21.1.18 libmech_eap.dylib
> eap-rc4-hmac 1.3.6.1.4.1.5322.21.1.23 libmech_eap.dylib
>
> Leaving the last element off picks the default enctype. This is a
> convenience to the initiator; the tokens are always prefixed with the
> concrete mechanism OID.
>
> I'm not proposing we standardise this or the non-AES enctypes, it's
> just a FYI.
Encoding the enctype in the OID is a very good thing to do.
New mechanisms should not bother with rc4 or 1DES, even 3DES, except
that that leaves us with no alternatives to AES, which makes me feel a
tad uncomfortable.
Nico
--
|