From: Jeffrey E Altman <jaltman@auristor.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
David Howells <dhowells@redhat.com>
Cc: Chuck Lever <chuck.lever@oracle.com>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
"David S. Miller" <davem@davemloft.net>,
Marc Dionne <marc.dionne@auristor.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
linux-crypto@vger.kernel.org, linux-afs@lists.infradead.org,
linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 2/8] crypto/krb5: Provide Kerberos 5 crypto through AEAD API
Date: Fri, 10 Jan 2025 13:22:23 -0500 [thread overview]
Message-ID: <f506a4fa-ffa2-4258-ae3c-c3cf4568f9a4@auristor.com> (raw)
In-Reply-To: <Z4DwNPgLFcfy6jdl@gondor.apana.org.au>
[-- Attachment #1: Type: text/plain, Size: 1078 bytes --]
On 1/10/2025 5:02 AM, Herbert Xu wrote:
> So does your use-case support both standard AEAD algorithms such
> as GCM as well as these legacy algorithms?
RXGK is described by
https://datatracker.ietf.org/doc/draft-wilkinson-afs3-rxgk/.
Any RFC3961 ("Encryption and Checksum Specifications for Kerberos 5")
framework encryption algorithm can be used with it.
There have been proposals to add AEAD encryption types to RFC3961. For
example, Luke Howard proposed
https://datatracker.ietf.org/doc/draft-howard-krb-aead/
The Security Considerations section describes the reasons that MIT's
Kerberos team is reluctant to add AEAD algorithms to RFC3961. The
primary one being that AEAD algorithms are not safe for all of the
existing RFC3961 use cases and there is no means of ensuring that AEAD
encryption types would not be misused.
Requests for the addition of AEAD to RFC3961 have come from both the
NFSv4 community and those implementing RXGK. Alas, there has been no
forward progress since the publication of Luke's draft.
Jeffrey Altman
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4276 bytes --]
next prev parent reply other threads:[~2025-01-10 18:30 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 1:03 [RFC PATCH 0/8] crypto: Add generic Kerberos library with crypto as AEAD algorithms David Howells
2025-01-10 1:03 ` [RFC PATCH 1/8] crypto/krb5: Add some constants out of sunrpc headers David Howells
2025-01-10 1:03 ` [RFC PATCH 2/8] crypto/krb5: Provide Kerberos 5 crypto through AEAD API David Howells
2025-01-10 5:50 ` Eric Biggers
2025-01-10 7:13 ` David Howells
2025-01-10 9:47 ` Ard Biesheuvel
2025-01-10 14:33 ` David Howells
2025-01-10 9:48 ` Herbert Xu
2025-01-10 10:26 ` David Howells
2025-01-10 10:30 ` Herbert Xu
2025-01-10 11:09 ` David Howells
2025-01-17 8:13 ` David Howells
2025-01-17 8:30 ` David Howells
2025-01-10 10:02 ` Herbert Xu
2025-01-10 10:39 ` David Howells
2025-01-10 10:42 ` Herbert Xu
2025-01-10 18:22 ` Jeffrey E Altman [this message]
2025-01-10 1:03 ` [RFC PATCH 3/8] crypto/krb5: Test manager data David Howells
2025-01-10 1:03 ` [RFC PATCH 4/8] rxrpc: Add the security index for yfs-rxgk David Howells
2025-01-10 1:03 ` [RFC PATCH 5/8] rxrpc: Add YFS RxGK (GSSAPI) security class David Howells
2025-01-10 1:03 ` [RFC PATCH 6/8] rxrpc: rxgk: Provide infrastructure and key derivation David Howells
2025-01-10 1:03 ` [RFC PATCH 7/8] rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI) David Howells
2025-01-10 1:03 ` [RFC PATCH 8/8] rxrpc: rxgk: Implement connection rekeying David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f506a4fa-ffa2-4258-ae3c-c3cf4568f9a4@auristor.com \
--to=jaltman@auristor.com \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).