[openssl-users] Kerberos

Jeffrey Altman jaltman at secure-endpoints.com
Sat May 9 02:09:29 UTC 2015

On 5/8/2015 5:17 PM, Nathaniel McCallum wrote:
> I agree that the current situation is not sustainable. I was only
> hoping to start a conversation about how to improve the situation.
> For instance, there is this: http://tls-kdh.arpa2.net/
> I don't see any reason this couldn't be expanded to do GSSAPI.

I think that TLS-KDH is fundamentally flawed because it is tied to the
Kerberos protocol.  Most operating systems today support Kerberos but
they do not support a stable standard Kerberos API because such a
creature does not exist in the wild.

If we want a TLS implementation to make use of Kerberos authentication
on a broad range of operating systems that we must access Kerberos
through GSS. Only by using GSS can userland TLS implementations hope to
stack on top of the OS provided Kerberos in a portable way.

> But maybe this mailing list isn't the right place for such a
> discussion.
> Perhaps the right question to ask is how much interest there would be
> in improving this situation in the TLS WG and whether or not OpenSSL
> would have interest in implementing such a project.

The IETF TLS WG and perhaps the IETF Kitten WG are the appropriate
places to hold discussions.  Or perhaps hold an IETF BOF first to
explore the interest.   The last time I was involved the work product was


I still believe that is a reasonable approach.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4589 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150508/6c463d85/attachment.bin>

More information about the openssl-users mailing list