Re: Sending kink to IETF last call

["KAMADA Ken'ichi" <kamada@xxxxxxxxxx>]

At Tue, 22 Nov 2005 18:11:00 -0500 (EST),
Sam Hartman <hartmans-ietf@xxxxxxx> wrote:
> 
> I do have two comments.  The first is regarding section 10.  Is the
> advice there actually true?  Just because I have a keytab doesn't mean
> others won't be using u2u.  I'd like to propose removing this section.

I personally have no problem with removing it, because
the draft-10 has some guidance when to go to U2U in section 3.1
and how to deny U2U in section 4.2.8.


> Also, I seem to recall that Kink is actually implemented.  I'm a bit
> confused how that works.  As far as I know neither MIT nor Heimdal
> actually ship something that implements an RFC 3961 PRF.  Did the Kink
> implementation include its own version of the 3961 PRF?  If so, can we
> compare test vectors?

(Partially) yes, and yes.

The released KINK implementation in racoon2 was based on draft-06
and it didn't use 3961 PRF.
I have a version of implementation based on draft-10 in my cvs branch,
and it does have its own PRF routines (currently, only for des-cbc-md5
and des3-cbc-sha1-kd) as a temporary measure until MIT/Heimdal
provides them.

Test vectors are undoubtedly welcome.

# Of course, new MIT krb5 and Heimdal with 3961 PRF are also welcome :-)

-- 
KAMADA Ken'ichi <kamada@xxxxxxxxxx>