svn commit: lorikeet r167 - in trunk/white-papers: .

abartlet at samba.org abartlet at samba.org
Wed Jan 5 03:20:38 GMT 2005 

Author: abartlet
Date: 2005-01-05 03:20:37 +0000 (Wed, 05 Jan 2005)
New Revision: 167

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=167

Log:
A little bit more explaination in my new white paper.

Andrew Bartlett

Modified:
   trunk/white-papers/gensec-white-paper.lyx


Changeset:
Modified: trunk/white-papers/gensec-white-paper.lyx
===================================================================
--- trunk/white-papers/gensec-white-paper.lyx	2005-01-05 02:54:59 UTC (rev 166)
+++ trunk/white-papers/gensec-white-paper.lyx	2005-01-05 03:20:37 UTC (rev 167)
@@ -62,6 +62,11 @@
  It would no longer be possible to just pretend to be NT4, and hope that
  the clients did not expect any particularly difficult behaviour.
  This time, these challenges would need to be tackled, not just worked around.
+\layout Standard
+
+Finally, while the word `security' does mean many different things, this
+ paper addresses the issues as they stem from authentication and the related
+ problems.
 \layout Section*
 
 Security functions
@@ -204,14 +209,34 @@
  
 \layout Standard
 
-On the Microsoft side of the fence, it is well known that SSPI, modaled
- after GSSAPI but without API compatability, is the single source of this
+On the Microsoft side of the fence, it is well known that SSPI, modeled
+ after GSSAPI but without API compatibility, is the single source of this
  kind of security subsystem functionality.
  This modal was chosen not only for quite sensible software engineering
  reasons, but also to provide a single point of audit (and key weakening)
  for encryption export controls.
 \layout Subsection*
 
+History
+\layout Standard
+
+The need for a centralised security subsystem became clear in the development
+ of Samba 3.0.
+ Samba 3.0 contains three distinct, and incomplete implementations of NTLMSSP,
+ at least two implementations of SPNEGO, a very simple SASL client and an
+ SCHANNEL implementation.
+ While it did work, the lack of clear boundaries around many parts of this
+ code made extracting and consolidating this infrastructure a nightmare.
+ With Samba4, the opportunity was grasped to get in early, before too much
+ code was written, and to ensure that boundaries were indeed kept.
+ 
+\layout Standard
+
+This centralisation requirement also ensured that we would always have the
+ same set of security mechanisms available, wherever they were appropriate:
+ not limited by their original source modules.
+\layout Subsection*
+
 Building our own
 \layout Standard
 
@@ -280,6 +305,8 @@
 
 This list is expected to grow, particularly as LDAPv3 has DIGEST-MD5 as
  a `mandatory to implement' security mechanism.
+ It may be possible to link to Cyrus-SASL, to optionally obtain additional
+ mechanisms.
 \layout Subsection*
 
 Recursive challenges

More information about the samba-cvs mailing list