To complete the thought I meant to... don't just copy Kerberos. Copy the fixes, and fold them in better.
Regarding crypto primitives, as Jeff Altman points out, the Kerberos ones have been separated out from Kerberos. See RFC 3961 and 3962. Note that for AES in particular Kerberos relies on ciphertext stealing mode, which is actually quite a pain to work with if you have hardware with high operation overhead. Counter-based modes could work equally way, but much care is needed to keep the likelihood of key+counter reuse near or at zero. If you're building a GSS-API mechanism at all just steal the Kerberos mechanism's per-token message protocol (as several mechanisms have done). Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography