On Tue, Sep 14, 2010 at 02:07:09AM +0200, Luke Howard wrote: > So, right now, the enctype is encoded into the OID, so you can > actually pick any supported enctype: > > % cat /usr/local/etc/gss/mech > eap 1.3.6.1.4.1.5322.21.1 libmech_eap.dylib > eap-des3-cbc-sha1 1.3.6.1.4.1.5322.21.1.16 libmech_eap.dylib > eap-aes128 1.3.6.1.4.1.5322.21.1.17 libmech_eap.dylib > eap-aes256 1.3.6.1.4.1.5322.21.1.18 libmech_eap.dylib > eap-rc4-hmac 1.3.6.1.4.1.5322.21.1.23 libmech_eap.dylib > > Leaving the last element off picks the default enctype. This is a > convenience to the initiator; the tokens are always prefixed with the > concrete mechanism OID. > > I'm not proposing we standardise this or the non-AES enctypes, it's > just a FYI. Encoding the enctype in the OID is a very good thing to do. New mechanisms should not bother with rc4 or 1DES, even 3DES, except that that leaves us with no alternatives to AES, which makes me feel a tad uncomfortable. Nico --