Re: Shishi Summer of Code

[Simon Josefsson]

Elrond <address@hidden> writes:

> On Wed, May 03, 2006 at 01:47:28PM +0200, Simon Josefsson wrote:
>> Hi all!
>> 
>> Shishi participate, through the GNU project, in the Google Summer of
>> Code, see:
>> 
>> http://code.google.com/soc/
>> 
>> You can earn USD 4500 for working on a Shishi project!
>
> If I were eligible. ;o)
> (Just (successfuly) left university and looking around for
> a PhD place.)

If you are still enrolled at the university, I think you would still
be eligible...

http://code.google.com/soc/studentfaq.html#8

> Acting as a full-time mentor doesn't look like it's paid at
> all, so I can't offer that now.

There is a USD 500 fee for mentoring organization, but I've forgotten
what the decision was whether GNU wanted to keep it or if the mentor
gets it.  There was a long discussion about it.  I should ask, I'm
less interested if GNU wants to keep the money.

> I can offer helping in mentoring someone.

Thanks!  Much appreciated.

Note that if you sign up as mentor with google, you can't sign up as
student, and vice versa.  Really bad, I'm interested in a few student
projects (e.g., Internet2/IETF project), but since I'm a mentor I'm no
longer eligible as student.  Sigh.

> [...]
>>    1. Implement the set/change password protocol, see
>>       draft-ietf-krb-wg-kerberos-set-passwd-04.txt. This would make it
>>       possible to change passwords remotely, through a standardized
>>       protocol.
>
> I can only offer testing and code quality mentoring here.
> My quick look at the spec some weeks ago suggested, that
> it's not too hard and probably possible within the three
> months.

Yup.  There is also RFC 3244, but I'm not sure whether anyone would
find it useful...

>>    2. Implement Public-Key Cryptography for Initial Authentication in
>>       Kerberos, see draft-ietf-cat-kerberos-pk-init-34.txt. This is
>>       another way to support X.509 authentication in Kerberos,
>>       compared to the one which Shishi already support through TLS.
>
> I have no plan on that. ;)

Neither do I.  I think it is a poor protocol.

I'm working on the TLS extensions instead, which allow X.509, OpenPGP,
SRP, TLS-PSK, etc authentication.  I have received funding to complete
the OpenPGP integration, but haven't had much time to work on it. :(

>>    3. Implement cross-realm authentication logic.
>
> That sounds like a tough job to me.
>
> If you get a "student" for that one, I surely want to get
> in touch with her/him to learn about it.
> (windows does _transitive_ cross-realm auth somehow
> internally too. And I don't yet know much about it.)

Cross-realm logic is described in RFC 4120 and isn't that difficult,
you'll only have to query for an additional service with TGT, and then
use it to talk with the next KDC.

I recall a master thesis student from Japan who was interested in
working on this, but I've not heard anything in a long time.

>>    4. Implement functionality to read MIT/Heimdal configuration files
>>       and Kerberos ticket caches. This would enable drop-in use of
>>       Shishi where MIT/Heimdal is used today.
>
> Sounds useful, but doesn't really kick me.

Given the recent writeup on the format, I may do this soon... Reading
existing /etc/krb5.keytab seems like a good thing to permit
MIT/Heimdal to co-exist with Shishi on the same host gracefully.

It might end up as a tool to convert /etc/krb5.keytab to Shishi host
keys.

>> I'm open to hear about other neat ideas, even if you are not
>> volunteering to be either mentor or student.
>
> semi-mentor for some projects.
> I can also help a bit with the GSS/spnego project. (I just
> hacked 25% of spnego for TNG a few days ago. ;) )

Thanks!  I'll remember this if anyone signs up for it.  I'd wish you'd
sign up as student and did it though. :)

/Simon