On 5/8/2015 5:17 PM, Nathaniel McCallum wrote: > > I agree that the current situation is not sustainable. I was only > hoping to start a conversation about how to improve the situation. > > For instance, there is this: http://tls-kdh.arpa2.net/ > > I don't see any reason this couldn't be expanded to do GSSAPI. I think that TLS-KDH is fundamentally flawed because it is tied to the Kerberos protocol. Most operating systems today support Kerberos but they do not support a stable standard Kerberos API because such a creature does not exist in the wild. If we want a TLS implementation to make use of Kerberos authentication on a broad range of operating systems that we must access Kerberos through GSS. Only by using GSS can userland TLS implementations hope to stack on top of the OS provided Kerberos in a portable way. > But maybe this mailing list isn't the right place for such a > discussion. > > Perhaps the right question to ask is how much interest there would be > in improving this situation in the TLS WG and whether or not OpenSSL > would have interest in implementing such a project. The IETF TLS WG and perhaps the IETF Kitten WG are the appropriate places to hold discussions. Or perhaps hold an IETF BOF first to explore the interest. The last time I was involved the work product was https://tools.ietf.org/html/draft-santesson-tls-gssapi-03 I still believe that is a reasonable approach. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4589 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150508/6c463d85/attachment.bin>