On 06/24/2011 02:04 AM, Nico Williams wrote:
Every bank that uses Active Directory uses Kerberos, and the GSS-like
SSPI. And the Kerberos GSS mechanism (through SSPI, on Windows). The
native Windows TLS implementation is accessed via SSPI.
I've used/abused the Windows SSPI a few times for various things. It's
pretty darn abstract. Which is not a criticism, only that it's less of
an API than a intra-host transport protocol for shipping loosely related
structures between apps and the security providers which are as diverse
as Kerb and TLS.
http://msdn.microsoft.com/en-us/library/aa375506%28v=vs.85%29.aspx
For example, the Microsoft doco on InitializeSecurityContext()
has a description and then again separate pages for every security
support provider (SSP) that ships with Windows.
Most of the SSPI functions have descriptions like "Used by a server to
create a security context based on an opaque message received from a
client" and "Applies a supplemental security message to an existing
security context".
http://msdn.microsoft.com/en-us/library/aa374731%28v=VS.85%29.aspx
Again, there's nothing wrong with this. But I suggest a guideline for
our discussion of the design of crypto APIs: The API must not be so
abstract that it doesn't actually encrypt any data.
- Marsh
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography