Re: [Gen-art] Gen-ART Telechat Review of draft-ietf-kitten-sasl-saml-08
Simon Josefsson <simon@josefsson.org> Wed, 18 January 2012 13:29 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 808FE21F87F5; Wed, 18 Jan 2012 05:29:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.909
X-Spam-Level:
X-Spam-Status: No, score=-99.909 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVkRUj-l16Sg; Wed, 18 Jan 2012 05:29:39 -0800 (PST)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id AE4AF21F8707; Wed, 18 Jan 2012 05:29:38 -0800 (PST)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q0IDTatD012501 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 18 Jan 2012 14:29:37 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Ben Campbell <ben@nostrum.com>
References: <5FBCE42B-679F-4BD5-B30B-A11664734A0B@nostrum.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:120118:gen-art@ietf.org::0WiMm4IQC4Me03Pw:0g1
X-Hashcash: 1:22:120118:ietf@ietf.org::nA6wvOZ4yoIZ9Hww:Y+9
X-Hashcash: 1:22:120118:ben@nostrum.com::+6vXyW0Wx11f+5sP:0Aoj
X-Hashcash: 1:22:120118:draft-ietf-kitten-sasl-saml.all@tools.ietf.org::dG4Q9pICu7NCEzyQ:FY9H
Date: Wed, 18 Jan 2012 14:29:36 +0100
In-Reply-To: <5FBCE42B-679F-4BD5-B30B-A11664734A0B@nostrum.com> (Ben Campbell's message of "Fri, 13 Jan 2012 16:00:08 -0600")
Message-ID: <87k44p6svz.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Cc: "gen-art@ietf.org Review Team" <gen-art@ietf.org>, The IETF <ietf@ietf.org>, draft-ietf-kitten-sasl-saml.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-ART Telechat Review of draft-ietf-kitten-sasl-saml-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2012 13:29:39 -0000
Ben Campbell <ben@nostrum.com> writes: >> -- section 7 >> >> Does the GSS-API description introduce security considerations? If >> not, please say so. >> > > I did not see a response to this comment. I missed this in my last e-mail. I propose we add another sub-section of the security considerations like this: 7.5. GSS-API specific security considerations Security issues inherent in GSS-API (RFC 2743) and GS2 (RFC 5801) apply to the SAML GSS-API mechanism defined in this document. Further, and as discussed in section 4, proper TLS server identity verification is critical to the security of the mechanism. I believe this should cover the relevant security considerations. Of course, having more implementation experience with the SAML mechanism used as a GSS-API mechanism may help to identify further security considerations for the GSS-API mechanism. However, I don't believe that is a show-stopper that prevent publication now. /Simon
- [Gen-art] Gen-ART Telechat Review of draft-ietf-k… Ben Campbell
- Re: [Gen-art] Gen-ART Telechat Review of draft-ie… Simon Josefsson
- Re: [Gen-art] Gen-ART Telechat Review of draft-ie… Klaas Wierenga