In previous discussions, we have assumed that the key(s) from the KNP
would fall out of the GSS context using the GSS PRF. This requires that
both the initiator and acceptor support this function, which might not
be true of some GSS implementations. We know this to be true of Java,
which may complicate the implementation for the Shibboleth IdP.
In the KNP we are defining a simple XML schema that describes the key
negotiation context; this is returned in the HTTP response that is
returned after the Negotiate exchange concludes. This schema includes an
extension point enabling applications of KNP to include
application-specific data.
Proposition: we could use the extension point to include an element
whose value is a shared secret created by the acceptor. This value could
be encrypted and decrypted using gss_wrap and gss_unwrap. This approach
might simplify implementation in some cases.
josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
|