Towards closure re GSS_Parse_token()
John Linn <linn@cam.ov.com> Mon, 08 May 1995 20:52 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa10370; 8 May 95 16:52 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa10366; 8 May 95 16:52 EDT
Received: from pad-thai.cam.ov.com by CNRI.Reston.VA.US id aa15246; 8 May 95 16:52 EDT
Received: from MIT.EDU by pad-thai.cam.ov.com (8.6.12/) with SMTP id <PAA28729@pad-thai.cam.ov.com>; Mon, 8 May 1995 15:40:13 -0400
Received: from pad-thai.cam.ov.com by MIT.EDU with SMTP id AA28527; Mon, 8 May 95 15:39:54 EDT
Received: from winkl.cam.ov.com by pad-thai.cam.ov.com (8.6.12/) with ESMTP id <PAA28681@pad-thai.cam.ov.com>; Mon, 8 May 1995 15:40:01 -0400
Received: from localhost by winkl.cam.ov.com (8.6.10/4.7) id PAA12135; Mon, 8 May 1995 15:39:59 -0400
Message-Id: <199505081939.PAA12135@winkl.cam.ov.com>
To: cat-ietf@mit.edu
Cc: linn@cam.ov.com
Subject: Towards closure re GSS_Parse_token()
Date: Mon, 08 May 1995 15:39:58 -0400
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: John Linn <linn@cam.ov.com>
CAT fanciers: In the interest of progress and parallelism as other discussions proceed, I'd like to reach closure on the question of whether or not to include within the GSS-V2 spec a GSS_Parse_token() routine, based on or derived from SPKM_Parse_token(). It doesn't appear that our discussions on this issue have converged. We appear agreed that not all of SPKM_Parse_token()'s attribute outputs (mechanism type, token type, and associated context handle) can be provided in all circumstances and by all mechanisms, but remain divergent as to the utility of such a routine to application writers despite this fact. It doesn't appear to me, therefore, that consensus to include this facility within GSS-V2 has been achieved; unless further discussion ensues in response to this message, my working assumption is that we're not currently pursuing standardization of GSS_Parse_token(). Mechanism implementors able and interested in incorporating such a function may, of course, do so as an additional feature alongside their GSS-API libraries. For reference, the remainder of this message reviews the bidding on this topic. As a result of discussion at Danvers, I sent out an implementor's poll query on 7 April to the list, with the following relevant paragraph: >(2) Referring to the SPKM_Parse_token() routine as described in >draft-ietf-cat-spkmgss-02.txt, we would like to consider the >feasibility of incorporating an equivalent routine within GSS-V2. >Question to implementors: please review the definition of this routine >and consider whether its functionality is implementable within your >mechanism and code base. The following replies were received on this point: Marc Horowitz: "The gss_parse_token() routine would be easy to implement, and it would do the right thing for all krb5 tokens." Marc subsequently clarified (25 April), however: "I don't believe that SPKM_Parse_token() is a useful function in light of its inherent nonportability, and I'd rather not see it included in the spec." Dennis Glatting: "My vote: Do not include a derivitive of SPKM_Parse_token() in V2. Unless there is a requirement to encode an OID in all tokens then the usefulness of a SPKM_Parse_token() derivative in GSSAPI-V2 is dubious." John Wray: "We do include the GSS wrapper on every token; we don't send any context identifier along with a token. So from a token we can identify the mechanism and the token-type, but not the context to which it belongs. Therefore we can provide some but not all of gss_parse_token's functionality." Following some exchanges about extending gss_process_context_token() to return descriptive attributes about a token, I observed that the SPKM_Parse_token() proposal provides a general approach to the question of determining attributes of a token, also covering other attributes besides mechanism type and equally suited to context management and per-message tokens. I suggested, therefore, that we should focus discussion on this proposal rather than on alternatives which provide specific subsets of its capabilities, and further indicated an expectation that at least a part of that routine's functions would be performed within an upper, mechanism-independent sublayer. Dan Nessett replied (25 April): "I would strongly support the inclusion of a gss_parse_token() that returns the mech_type of an InitialContextToken. If it returns other information, that's OK too, but I don't see a way to write the mechanism independent glue layer without something that does the former." Dennis Glatting commented (25 April), regarding the value of parse_token(): "That section [draft-ietf-cat-spkmgss-02.txt, sec. 6] assumes all tokens are encoded with an OID and a token type identifier. The GSS-API does not make that a requirement thereby making the SPKM_Parse_token()'s utility as a general purpose GSS-API function dubious. Further, SPKM_Parse_token()'s function is to aid demultiplexing tokens which is only useful in a limited context. The function SPKM_Parse_token() is useful if you have a single context for a given mechanism and are blindly exchanging tokens after a context is established. However, many application protocols know what is being exchanged and how to process the data thereby mitigating the need to interrogate GSS-API tokens. Further, those application protocols may have to encapsulate GSS-API tokens to indicate length. Why not a type indicator too? When we look away from mechanism exclusivity and tokens sent blindly across a connection to multiple mechanism contexts across one or more connections then the utility of SPKM_Parse_token() is lost. For these reasons I do not believe a GSS-API variant of SPKM_Parse_token() is useful to the application programmer. My questions stand." Doug Rosenthal commented (27 April): "Not to belabor the issue, but given that the token parsing functionality is either put in a separate function (aka parse_token) or done "manually" in a multi-mech glue layer, the former would be more convenient - as it could be used/called by either a multi-mech glue layer or a single-mech application (if necessary). Doesn't seem like a hard function to implement, and would give application developers another utility function if they needed it. Also, is it really non-portable if some implementations simply return null for some of the function outputs while other implementations return non-null values? Isn't this the case for some of the other GSS functions anyway, depending on the underlying mechansim/implementation? (e.g. the _state values returned from init/accept_sec_context)" --jl
- Towards closure re GSS_Parse_token() John Linn