From owner-freebsd-arch@FreeBSD.ORG  Sat Nov 12 11:06:29 2005
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
X-Original-To: arch@freebsd.org
Delivered-To: freebsd-arch@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EA27416A41F
	for <arch@freebsd.org>; Sat, 12 Nov 2005 11:06:29 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A774643D45
	for <arch@freebsd.org>; Sat, 12 Nov 2005 11:06:29 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id B2EC946BB5;
	Sat, 12 Nov 2005 06:06:26 -0500 (EST)
Date: Sat, 12 Nov 2005 11:06:26 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Doug Rabson <dfr@nlsystems.com>
In-Reply-To: <200511121042.42425.dfr@nlsystems.com>
Message-ID: <20051112110504.X33260@fledge.watson.org>
References: <200511121042.42425.dfr@nlsystems.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: arch@freebsd.org
Subject: Re: New extensible GSSAPI implementation
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Nov 2005 11:06:30 -0000


On Sat, 12 Nov 2005, Doug Rabson wrote:

> For quite a while now (far too long in fact), I've been slowly working 
> on an extension framework for GSS-API. This was partly prompted by an 
> interest in NFSv4 which requires both LIPKEY [RFC2847] as well as 
> Kerberosv5 as security providers. The existing FreeBSD GSS-API library 
> comes from Heimdal and only provides Kerberosv5. It is also a necessary 
> pre-requisite for an implementation of RPCSEC_GSS which I'm not quite 
> ready to commit.

This is great news!  Have you taken a look at the Solaris inclusion of 
gssapi parts in their kernel:

   http://fxr.watson.org/fxr/source/common/gssapi/?v=OPENSOLARIS

I assume this is associated with NFSv4 support, but haven't dug around at 
all yet other than noticing it there the other day.  Most other discussion 
of GSSAPI I've seen assumes that the crypto takes place in user space, but 
having it in kernel has some significant advantages (especially if you 
have a fully preemptive kernel, which we now have).

Robert N M Watson