[cryptography] Anti-GSS falsehoods (was Re: IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM))

Nico Williams nico at cryptonector.com
Fri Jun 24 03:04:30 EDT 2011

On Fri, Jun 24, 2011 at 1:15 AM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>>Were you aware of any of the above? If so, could you please explain your
>>comment in a little bit more detail? If not, then please stop slandering the
> Yes, I was aware of that.  You can remove the string "GSS-API" from your
> comments and replace it with any number of other technologies and the same
> still holds.
> To measure "widespread success" I apply the magic-wand test, if you waved a
> magic wand and all instances of X disappeared, would anyone notice?  With
> CryptoAPI and OpenSSL, where you can barely turn on a computer without running
> into them at some point, you'd notice fairly quickly.  With GSS-API, barely
> anyone would notice.  I did a (admittedly very rough) straw poll at an
> informal gathering of a bunch of people from banks, ISPs, commercial
> organisations, telcos, and so on the other day as a litmus test and everyone
> was aware of, and could name instances where they'd used CryptoAPI (i.e.
> Windows crypto/security) or OpenSSL that day.  Of the few who even knew what
> GSS-API was, none could recall using it.  That's not even in the same league
> as CryptoAPI and OpenSSL.

The two banks I've worked at use Kerberos, and since they use SSHv2
and want SSH to support Kerberos, they also use GSS (to be fair, they
used GSS *before* SSHv2 got GSS support).  They also use GSS for other
things.  At one of those banks they use it particularly extensively.
I also know that Lehman used Kerberos and, IIRC, AFS.  Other banks I
know of also use such technologies.

Every bank that uses Active Directory uses Kerberos, and the GSS-like
SSPI.  And the Kerberos GSS mechanism (through SSPI, on Windows).  The
native Windows TLS implementation is accessed via SSPI.  Most of the
people you talked to probably don't know those details.  If those
things suddenly didn't work, those banks would freak out.  That some
people you spoke to don't know what GSS is hardly indicative of its
actual importance to their business.  Microsoft did such a good job of
integrating Kerberos, LDAP, DNS, SSPI, and their old NT4 protocols,
that most people outside of IT don't really know that using AD means
using Kerberos, or what SSPI is, and they rightly shouldn't have to.

Let's put it this way: the squeaky wheel gets attention, and OpenSSL
is a squeaky wheel (every release being sufficiently incompatible with
the previous one as to cause serious headaches for integrators and
developers), so of course it gets noticed.

>>Perhaps you *dislike* the GSS-API.
> To be honest I have no opinion on it, because it doesn't have enough impact on
> anything for me to allocate cycles to it.  I'm sorry if you feel I've slighted
> your pet(?) API in some way and you feel some need to defend its honour, but
> it's just not that significant.  And that's entirely my point.

My point is that if one is going to design a new API (that's the
proposal, isn't it) then one ought to want to avoid the mistakes of
the new one's predecessors.  You admit knowing little (I think that's
what you meant above) about this one API -nothing shameful in that!-
and you treat it as if it's not worth knowing anything about it at all
based on an informal poll of people who might have had no reason to
know anything about it either.  Only if your poll were right would
that attitude would be defensible.

But, you'll say, you're not proposing a new API, certainly not one
designed by a committee, or something.  The problem I have is that you
condemn things of which you admittedly know probably too little to
judge.  (Incidentally, I read everything you post on the lists we both
subscribe to, because when you write about the thinks I know you know
what you're talking about, it's always worth reading.)

I have no opinion on most of the APIs you mentioned, because I too
have limited cycles.  I have some opinions about OpenSSL and PKCS#11,
and plenty about GSS (I'll tell you all that's wrong with it if you
like).  I just won't condemn the ones I know nothing about.


More information about the cryptography mailing list