IETF Logo Mail Archive

Re: [apps-discuss] Resending: APPSDIR review of draft-ietf-kitten-gssapi-naming-exts-14

Nico Williams <nico@cryptonector.com> Wed, 18 April 2012 03:33 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FAD811E8091; Tue, 17 Apr 2012 20:33:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ReNGNWcECqkU; Tue, 17 Apr 2012 20:33:41 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfa.amsl.com (Postfix) with ESMTP id 77D5911E8093; Tue, 17 Apr 2012 20:33:41 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 2F98E94064; Tue, 17 Apr 2012 20:33:41 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=euxu8Hl/G6kublP4HVVL1kFQOQaAVKOkLRWlIDSkhgHC 36YpPvLhpfSQ7XbtzW9MJ9IXcy7wDPf4n2pAzlb5XQtwuhVkzZl1ZekbsUBgd4iE rZcZFymjxhjY3Q8VlCU4JoKx2KS0U1i4rAjCKO+9lNNlbQZ9hh90kB+ci4TXmkY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=SQa251e+w4iC4Jybi3EVBfN3hrU=; b=DTLCBaqlw8r U3tWP7ckQ19K0Yttt8oGWM+7QYcMhx/5eKhQfHumpsI/ZRC5y4W/6IJO7OoGmKNJ U3zdxdVggpM6fjWB0wrrzwx4aSFkc9kOioUO+Rj5qgUHnHVd3koWfVCPQTeRJuMM M+/MA/KU4VgdkCDqU2TUbpJqh9Z+ZLfs=
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 0DE4E9405E; Tue, 17 Apr 2012 20:33:41 -0700 (PDT)
Received: by pbbrp16 with SMTP id rp16so6344132pbb.31 for <multiple recipients>; Tue, 17 Apr 2012 20:33:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.195.232 with SMTP id ih8mr2593107pbc.118.1334720020597; Tue, 17 Apr 2012 20:33:40 -0700 (PDT)
Received: by 10.68.28.6 with HTTP; Tue, 17 Apr 2012 20:33:40 -0700 (PDT)
In-Reply-To: <1334712238.64475.YahooMailNeo@web31804.mail.mud.yahoo.com>
References: <1334693777.42870.YahooMailNeo@web31813.mail.mud.yahoo.com> <1334694322.78096.YahooMailNeo@web31809.mail.mud.yahoo.com> <tslehrmdrjp.fsf@mit.edu> <1334695329.43020.YahooMailNeo@web31812.mail.mud.yahoo.com> <tsl1unmdr0f.fsf@mit.edu> <CAK3OfOi-ur+hTwFGCFZbhyjWLiBmn_2OdcbhZXQWeJ1XqRFQew@mail.gmail.com> <1334712238.64475.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Tue, 17 Apr 2012 22:33:40 -0500
Message-ID: <CAK3OfOj9ewm=U6ZVB+Q5r0Q0Pj6P6+KN-9L=kq1T=4KepEhG-w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: William Mills <wmills@yahoo-inc.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Sam Hartman <hartmans-ietf@mit.edu>, "draft-ietf-kitten-gssapi-naming-exts.all@tools.ietf.org" <draft-ietf-kitten-gssapi-naming-exts.all@tools.ietf.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [apps-discuss] Resending: APPSDIR review of draft-ietf-kitten-gssapi-naming-exts-14
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2012 03:33:45 -0000

On Tue, Apr 17, 2012 at 8:23 PM, William Mills <wmills@yahoo-inc.com> wrote:
> OK, if this is covered by the mechanisms (which is something a GSS expert
> probably knows but I did not) then I'm less worried.  Is it then worthwhile
> to add "Systems must know how to interpret critical mechanism attributes,
> but this is already required by mechanism specifications." in the section
> we're talking about to make it explicit rather than implicit?

Yes.  I like the conciseness of the text you propose.  The I had in
mind was something like this:

   The manner in which name attributes are conveyed by GSS
   mechanisms is mechanism-specific.  If a GSS mechanism
   provides a way to indicate criticality then local policy MAY
   require that any given GSS name attribute be expressed using
   critical elements of the mechanism.  However, criticality is not
   exposed in this API because criticality is intended to be handled
   by local policy and the mechanisms.  This means that a system
   that lacks local policy by which to deal with critical mechanism
   elements conveying name attributes should fail security context
   establishment when such critical elements are used by the
   peer.

That's quite a mouthful, so I tend to prefer your text.

Nico
--

v2.23.0 | Report a Bug | By Email