Bug 1710 - CoG delegated proxy modulus size
: CoG delegated proxy modulus size
Status: RESOLVED FIXED
: CoG jglobus
security
: 1.1
: PC Linux
: P2 major
: ---
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2004-04-21 10:44 by
Modified: 2005-12-05 17:10 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2004-04-21 10:44:19
Hello,

I've run into an issue with the CoG proxy delegation performance. In the C
implimenation of the gssapi in globus 2.4 the delegated proxy modulus size
defaulted to 512 bits. (Infact for proxys explictly accepted with
gss_accept_delegation() I think they have to be 512 bits).

In the CoG gssapi the modulus size is calculated in a different way. The bit
size is taken from the accepting context. In our case this is a service context
initalised from a host certifiacte. Our host certificates happened to be 2048
bits, and we saw a considerable performance fall off for the calculation of the
certifiate request during proxy delegation.

I'd like to know if this is intentional behaviour - and if so whether it might
be worthwhile allowing for a mechanisum to specify the key size of the delagated
proxy?

Thanks,
David
------- Comment #1 From 2004-04-21 11:01:02 -------
Sam:

this looks like an interesting problem. I like to here your thought son this. We
naturally could add the parameter once Jerek is back, but I wonder if the C code
has actually something missing. As I am not so familiar with the C code, I am
curious to hear rour response to this. You can stop in my office and tell me, I
will than post a summary of the discussion.

Thanks 

Gregor
------- Comment #2 From 2004-04-23 04:40:57 -------
This has been discussed internally a while ago. The key size should in deed be 
configurable (In C an env var, in Java the same env var propagated as a 
property?) as the required key size of the delegated credential depends on 
external security requirements from the application layer and deployment 
environment.

/Olle
------- Comment #3 From 2004-04-23 06:57:33 -------
Is this suffienent e.g. if we have environments with different length and
different CAs?
------- Comment #4 From 2004-04-23 08:09:21 -------
Hi,

I was wondering why in particular the proxy size was taken from the service
context. What about adding the possiblity of defaulting it to the size of the
last credential in the chain of the current connection?

My feeling is that it may be useful to be able to direct the beaviour from the
environment. A specific site may wish to enforce the policy of only producing
proxys with the same key size they have used for the service certificates. Or
(often, I would guess) they would be happy if the whole delegation chain was
kept at the same size.

David
------- Comment #5 From 2004-04-23 08:18:53 -------
Hi,

I bumped up the severity, since it causes us some quite serious performance
problems.

David
------- Comment #6 From 2004-04-28 01:33:32 -------
My original intention was to let the client control the key size (use the top 
most client certificate) but it looks like I mixed the variables. 
Anyway, I'll wait for Sam's input to decide on client control or env. variable 
(or both?) control before working on this.

------- Comment #7 From 2004-04-29 11:21:51 -------
I modified the code so that the key length is determined from the top most 
client certificate (as it was supposed to be originally). Fix committed to cvs.