headers
Simon Josefsson | 24 Jan 21:46
Favicon
Gravatar

Re: GnuTLS and RFC2712?

All,

Jack and I discussed adding Kerberos ciphers to GnuTLS, using Shishi.
Most likely the implementation would be in libgnutls-extra, since Shishi
is GPLv3.  I think starting with RFC 2712 may be useful, to see that we
understand it, and then proceed implementing some experimental protocol.

Are others interested in this?

Btw, Nikos, do you know if there is any license problem to use GPLv3
code with mod_gnutls?  As far as I understand, GPLv3 is compatible with
the Apache license, even though GPLv2 was not compatible.  But I may
have missed some point.

/Simon

Jack Bates <ms419 <at> freezone.co.uk> writes:

> Awesome, thanks for your response Simon! I sympathize with your struggle
> to find time, and share your enthusiasm for Kerberos in TLS. I'm excited
> to help however I can. Best wishes, Jack
>
> On Thu, 2008-01-24 at 12:22 +0100, Simon Josefsson wrote:
>> Jack Bates <ms419 <at> freezone.co.uk> writes:
>> 
>> > Hello Simon, I use your awesome Shishi Kerberos implementation and we
>> > have previously corresponded a bit.
>> >
>> > Please excuse this novice question, but I'm quite interested in using
>> > Shishi with GnuTLS to negotiate TLS connections with Kerberos tickets,
(Continue reading)

Permalink | Reply |
headers
Nikos Mavrogiannopoulos | 24 Jan 22:05

Re: GnuTLS and RFC2712?

On Thursday 24 January 2008, Simon Josefsson wrote:

> Btw, Nikos, do you know if there is any license problem to use GPLv3
> code with mod_gnutls?  As far as I understand, GPLv3 is compatible with
> the Apache license, even though GPLv2 was not compatible.  But I may
> have missed some point.

No, I already make use of gnutls-extra in mod_gnutls (in 0.5.0-alpha).

regards,
Nikos
Permalink | Reply |
headers
Simon Josefsson | 24 Jan 22:10
Favicon
Gravatar

Re: GnuTLS and RFC2712?

Nikos Mavrogiannopoulos <nmav <at> gnutls.org> writes:

> On Thursday 24 January 2008, Simon Josefsson wrote:
>
>> Btw, Nikos, do you know if there is any license problem to use GPLv3
>> code with mod_gnutls?  As far as I understand, GPLv3 is compatible with
>> the Apache license, even though GPLv2 was not compatible.  But I may
>> have missed some point.
>
> No, I already make use of gnutls-extra in mod_gnutls (in 0.5.0-alpha).

Ok, great.  I considered to put this in a libgnutls-shishi, to avoid
pulling in Shishi into applications that use libgnutls-extra.  But that
would slow down building GnuTLS even more, so I'm not sure it is worth
it.

/Simon
Permalink | Reply |
headers
Nikos Mavrogiannopoulos | 24 Jan 22:27

Re: GnuTLS and RFC2712?

On Thursday 24 January 2008, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <nmav <at> gnutls.org> writes:
> > On Thursday 24 January 2008, Simon Josefsson wrote:
> >> Btw, Nikos, do you know if there is any license problem to use GPLv3
> >> code with mod_gnutls?  As far as I understand, GPLv3 is compatible with
> >> the Apache license, even though GPLv2 was not compatible.  But I may
> >> have missed some point.
> > No, I already make use of gnutls-extra in mod_gnutls (in 0.5.0-alpha).
> Ok, great.  I considered to put this in a libgnutls-shishi, to avoid
> pulling in Shishi into applications that use libgnutls-extra.  But that
> would slow down building GnuTLS even more, so I'm not sure it is worth
> it.

I think the extra lib is a perfect place for it.

regards,
Nikos
Permalink | Reply |
headers
Sam Varshavchik | 25 Jan 00:30

Re: GnuTLS and RFC2712?

Simon Josefsson writes:

> Nikos Mavrogiannopoulos <nmav <at> gnutls.org> writes:
> 
>> On Thursday 24 January 2008, Simon Josefsson wrote:
>>
>>> Btw, Nikos, do you know if there is any license problem to use GPLv3
>>> code with mod_gnutls?  As far as I understand, GPLv3 is compatible with
>>> the Apache license, even though GPLv2 was not compatible.  But I may
>>> have missed some point.
>>
>> No, I already make use of gnutls-extra in mod_gnutls (in 0.5.0-alpha).
> 
> Ok, great.  I considered to put this in a libgnutls-shishi, to avoid
> pulling in Shishi into applications that use libgnutls-extra.  But that
> would slow down building GnuTLS even more, so I'm not sure it is worth
> it.

I can tell you that putting this into a separate libgnutls-shishi will make 
it much easier for distributions to package GnuTLS. Requiring shishi as a 
mandatory prerequisite for libgnutls-extra will have one of three results:

1) Distributions will avoid updating to the newer version of GnuTLS, for 
some period of time.

2) Distributions will patch it out themselves, and factor out the 
shishi-dependent bits into a separate module, and a separate subpackage.

3) Distributions will always package GnuTLS with shishi support turned off 
via configure, (or a configure patch).
(Continue reading)

Permalink | Reply |
headers
Nikos Mavrogiannopoulos | 25 Jan 08:44

Re: GnuTLS and RFC2712?

> I can tell you that putting this into a separate libgnutls-shishi will make
> it much easier for distributions to package GnuTLS. Requiring shishi as a
> mandatory prerequisite for libgnutls-extra will have one of three results:

> 3) Distributions will always package GnuTLS with shishi support turned off
> via configure, (or a configure patch).

Why someone wouldn't want to include the shishi support? I can
understand these arguments for SRP which is turned off by some
distributions due to previous patent threats, but I don't think there
is something like it around shishi. If a module system is implemented
it should not be only for shishi, but it should affect all gnutls auth
methods and algorithms. For the moment, since this support doesn't
exist formally, using the gnutls-extra is the appropriate way to add
kerberos. (actually implementing a module system is not hard given how
code is organized, but it requires time I don't have).

regards,
Nikos
Permalink | Reply |
headers
Russ Allbery | 25 Jan 02:21
Favicon

Re: GnuTLS and RFC2712?

Simon Josefsson <simon <at> josefsson.org> writes:

> Btw, Nikos, do you know if there is any license problem to use GPLv3
> code with mod_gnutls?  As far as I understand, GPLv3 is compatible with
> the Apache license, even though GPLv2 was not compatible.  But I may
> have missed some point.

I believe GPLv3 is compatible with the Apache 2.0 license.  The resulting
combined work must be distributed under the GPLv3 with the additional
restriction clause exercised, as permitted by the GPLv3.  The relevant
additional restriction added to the license of the combined work is the
Apache 2.0 patent provision.

This response is based on an answer by RMS to a similar question on
another mailing list.

--

-- 
Russ Allbery (rra <at> stanford.edu)             <http://www.eyrie.org/~eagle/>
Permalink | Reply |
headers
Daniel Dehennin | 25 Jan 17:44

Re: GnuTLS and RFC2712?

Le 5258 Septembre 1993, Simon Josefsson a tapoté:
> All,
>
> Jack and I discussed adding Kerberos ciphers to GnuTLS, using Shishi.
> Most likely the implementation would be in libgnutls-extra, since Shishi
> is GPLv3.  I think starting with RFC 2712 may be useful, to see that we
> understand it, and then proceed implementing some experimental protocol.
>
> Are others interested in this?

Hello,

I apologize for the no-respond from the Debian BTS, I'm interested in
having kerberos in TLS.

I just find mod_gnutls for apache and it handles Serve Name
Indication.

I have a test lab with an heimdall KDC and a mod_auth_kerbized apache.

I can find some time to test your developpment if it can help.

Regards.
--

-- 
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1

_______________________________________________
(Continue reading)

Permalink | Reply |
headers
Simon Josefsson | 25 Jan 18:55
Favicon
Gravatar

Re: GnuTLS and RFC2712?

Daniel Dehennin <daniel.dehennin <at> baby-gnu.org> writes:

> Le 5258 Septembre 1993, Simon Josefsson a tapoté:
>> All,
>>
>> Jack and I discussed adding Kerberos ciphers to GnuTLS, using Shishi.
>> Most likely the implementation would be in libgnutls-extra, since Shishi
>> is GPLv3.  I think starting with RFC 2712 may be useful, to see that we
>> understand it, and then proceed implementing some experimental protocol.
>>
>> Are others interested in this?
>
> Hello,
>
> I apologize for the no-respond from the Debian BTS, I'm interested in
> having kerberos in TLS.
>
> I just find mod_gnutls for apache and it handles Serve Name
> Indication.
>
> I have a test lab with an heimdall KDC and a mod_auth_kerbized apache.
>
> I can find some time to test your developpment if it can help.

Many thanks for following up!  It seems we have some critical mass to be
able to start working on this.  I think that having people test it is
critical in order to get anything done.  How appropriate then that I'm
going on vacation today.. :) But I'm only gone for one week.  After that
I will see how I can allocate some time for this, and then start
working.
(Continue reading)

Permalink | Reply |
headers
Daniel Dehennin | 25 Jan 19:05

Re: GnuTLS and RFC2712?

Le 5259 Septembre 1993, Simon Josefsson a tapoté:
> Many thanks for following up!  It seems we have some critical mass to be
> able to start working on this.  I think that having people test it is
> critical in order to get anything done.  How appropriate then that I'm
> going on vacation today.. :) But I'm only gone for one week.  After that
> I will see how I can allocate some time for this, and then start
> working.
>
> Btw, what is mod_auth_kerbized?  I can't seem to find any information
> about it.

Sorry, I mean a mod_auth_kerb enabled apache:
http://modauthkerb.sourceforge.net

It just make authentication.

Regards.
--

-- 
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1

_______________________________________________
Help-shishi mailing list
Help-shishi <at> gnu.org
http://lists.gnu.org/mailman/listinfo/help-shishi
Permalink | Reply |

Gmane