IETF Logo Mail Archive

Re: Misconceptions about the GSS-API

Nico Williams <nico@cryptonector.com> Fri, 13 July 2012 21:53 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7B6F21F86DD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 13 Jul 2012 14:53:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.369
X-Spam-Level:
X-Spam-Status: No, score=-7.369 tagged_above=-999 required=5 tests=[AWL=2.608, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0YC9Wyutu0qT for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 13 Jul 2012 14:53:35 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id D7A3021F86D1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 13 Jul 2012 14:53:34 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Spnny-0001dq-4A for ietf-http-wg-dist@listhub.w3.org; Fri, 13 Jul 2012 21:53:42 +0000
Resent-Date: Fri, 13 Jul 2012 21:53:42 +0000
Resent-Message-Id: <E1Spnny-0001dq-4A@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Spnnq-0001ch-94 for ietf-http-wg@listhub.w3.org; Fri, 13 Jul 2012 21:53:34 +0000
Received: from caiajhbdcbef.dreamhost.com ([208.97.132.145] helo=homiemail-a64.g.dreamhost.com) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Spnno-0002Dl-NJ for ietf-http-wg@w3.org; Fri, 13 Jul 2012 21:53:34 +0000
Received: from homiemail-a64.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a64.g.dreamhost.com (Postfix) with ESMTP id B664E43807F for <ietf-http-wg@w3.org>; Fri, 13 Jul 2012 14:53:11 -0700 (PDT)
Received: from mail-yw0-f43.google.com (mail-yw0-f43.google.com [209.85.213.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a64.g.dreamhost.com (Postfix) with ESMTPSA id 8E62A43807E for <ietf-http-wg@w3.org>; Fri, 13 Jul 2012 14:53:11 -0700 (PDT)
Received: by yhl10 with SMTP id 10so4541431yhl.2 for <ietf-http-wg@w3.org>; Fri, 13 Jul 2012 14:53:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.66.75.225 with SMTP id f1mr5051406paw.35.1342216390568; Fri, 13 Jul 2012 14:53:10 -0700 (PDT)
Received: by 10.143.29.16 with HTTP; Fri, 13 Jul 2012 14:53:10 -0700 (PDT)
In-Reply-To: <CAMm+LwjZSxpbO97f8C8z4PO=uo9DA8-7SuDC-8ZRVGHeqmQO+A@mail.gmail.com>
References: <CAK3OfOhrjOTa5miWJdDd4_gEHHCD4rODwjwtEQz248yfqfjueg@mail.gmail.com> <46146.1342211869@critter.freebsd.dk> <CAK3OfOh7P1pdf91UFA8xj6nxj+c0__Bg11HZHy83mAbbBwFmgg@mail.gmail.com> <CAMm+LwjZSxpbO97f8C8z4PO=uo9DA8-7SuDC-8ZRVGHeqmQO+A@mail.gmail.com>
Date: Fri, 13 Jul 2012 16:53:10 -0500
Message-ID: <CAK3OfOheTgCchv=9bZiLEdktcH27+c6+Lhx0RwNBEQ+DTSz4Yg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: none client-ip=208.97.132.145; envelope-from=nico@cryptonector.com; helo=homiemail-a64.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: lisa.w3.org 1Spnno-0002Dl-NJ 0ff0e130ccfa7c3089cfd42c4a71d781
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Misconceptions about the GSS-API
Archived-At: <http://www.w3.org/mid/CAK3OfOheTgCchv=9bZiLEdktcH27+c6+Lhx0RwNBEQ+DTSz4Yg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/14166
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Jul 13, 2012 at 4:18 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> On Fri, Jul 13, 2012 at 5:04 PM, Nico Williams <nico@cryptonector.com> wrote:
>> There are many enormous APIs out there where only a small subset is
>> necessary for common applications.  The functions that most GSS
>> applications don't need are not functions that you can shoot your feet
>> off with.  It sounds to me like you're not familiar with the GSS-API.
>
> And intend to remain so unless you can identify the small subset that
> is needed and separate it out from all the rest.

I can commit to writing an I-D in short order describing "profiles" of
the API, but I'd expect you to read it :)

> Oh and explain the whole project in terms of bits on the wire rather
> than multi-tiered abstractions that mean something to people with
> decades of experience of GSS-API but nothing to the rest of us.

Well, different audiences will want different points of view.  I could
try several approaches.

> I have been in the business of Web Security twenty years as of
> September. In all that time the only people who have ever brought up
> the issue of support for it have been GSS-API developers. I have never
> once had a customer ask for it.

Did they ever ask for HTTP/Negotiate?  Did they ever ask for SSPI?

>
>
>> APIs like OpenSSL's are awful, I give you that.  If you used the
>> GSS-API as an interface to TLS you'd have a very trivial client,
>> particularly for anonymous clients.  You'd only need these functions:
>>
>>  - GSS_Import_name(), which you'd call to get a NAME object
>> corresponding to the server's hostname
>
> You still don't get our point. How does this call relate to HTTP? What
> data objects are produced? What do they look like on the wire? How
> does it affect protocol state?

See my I-D!  It has figures, with bits on the wire.  Textual bits on
the wire!  My examples use SCRAM, which is all-text, with only a tiny
bit of base-64 encoding of binary data.  Here:

http://tools.ietf.org/html/draft-williams-rest-gss-01#section-3

BTW, my classification I-D also has examples of what several possible
approaches might look like:

http://tools.ietf.org/html/draft-williams-httpbis-auth-classification-01#section-3.3

> What you have there is not a protocol, it is an implementation.

No.  It's a protocol.  The use of the API is strictly for
specification purposes.  Implementors can use or not use the API.

>>  - GSS_Init_sec_context(), which you'd call with that NAME object, the
>> mechanism OID for TLS, and all default arguments
>>  - GSS_Wrap() and GSS_Unwrap() to implement the application record layer
>>  - GSS_Release_name(), GSS_Deleset_sec_context(), and
>> GSS_Release_buffer() to release resources
>>
>> That's *it* (oh, and GSS_Display_status() to get printable errors).
>> All the complexity of validating the server cert and ensuring that it
>> is good for the given hostname would be buried in the mechanism.  If
>> you need to specify different trust anchor sets for different hosts
>> that would require one more function (though the GSI TLS mechanism
>> doesn't support it, but I could make sure it gets added...).
>
> Assuming that we embed your library into all the clients and servers.

Nope.  See my reply to Poul-Henning Kamp.  The API is NOT required for
implementing.

Nico
--

v2.23.0 | Report a Bug | By Email