On Sat, Oct 29, 2011 at 5:09 PM, Luke Howard <[log in to unmask]> wrote:
>
> On 30/10/2011, at 3:35 AM, Nico Williams wrote:
>
> What about prompting that couldn't happen until context establishment
> and for which doing the prompting via credential acquisition wouldn't
> work? OTPs come to mind.
>
> How about we have a function by which to associate a prompter callback
> with a partially established security context? You'd set it when
> GSS_Init_sec_context() returns GSS_S_PROMPTING_NEEDED or whatever, and
> then you'd call GSS_Init_sec_context() again with all the same
> arguments as before.
>
> Good idea.
> That said, I'm pleasantly surprised that supporting the simple case only
> required very small (20 line per module?) changes to OpenSSH, GSS and
> mech_eap.
> How do I go about registering:
> #define GSS_S_PROMPTING_NEEDED (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 5))
> I wonder?
It wouldn't have to be a supplementary status code, but it seems more
consistent that way. I guess we're not at risk of running out of
supplementary status code bits...
Anyways, you'll have to submit an I-D and get it published as a
Standards-Track RFC. There's no IANA registry for supplementary
status codes.
|