rxgk CombineTokens and enctypes (was Re: [AFS3-std] Re: afs3-rxgk-updates for 03)
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 02 Nov 2012 19:37:54 -0400
Benjamin Kaduk <kaduk@mit.edu> wrote:
>True. My concern is basically about whether we can pass that other
>information in a general-enough fashion to not paint ourselves into a
>corner. Attempting to enumerate the "additional information" one gets
>along with a token makes me wonder if the enumeration is complete, or
>even
>can be complete given the possibility of application-specific data.
Well, the token establishment mechanism certainly has a complete picture of what you get with a token. The only ways in which this operation is different are those in which we define it to be, by providing an alternative. We've done that for the key with the PRF, and for lifetimes with a rule for computing them. We're arguing about whether or how to do so for enctypes and, I think, level.
You don't get "application-specific" data, just what you need to use the token. If an app wants more, it can use an app-specific operation.
More later.
-- Jeff