IETF Logo Mail Archive

RE: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous

Larry Zhu <lzhu@windows.microsoft.com> Sun, 27 July 2008 15:00 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA5723A6981; Sun, 27 Jul 2008 08:00:04 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 482003A697D for <ietf@core3.amsl.com>; Sun, 27 Jul 2008 08:00:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.599
X-Spam-Level:
X-Spam-Status: No, score=-108.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4lZs4PzgLnOn for <ietf@core3.amsl.com>; Sun, 27 Jul 2008 08:00:02 -0700 (PDT)
Received: from smtp.microsoft.com (mail3.microsoft.com [131.107.115.214]) by core3.amsl.com (Postfix) with ESMTP id 76FD63A68C0 for <ietf@ietf.org>; Sun, 27 Jul 2008 08:00:01 -0700 (PDT)
Received: from tk1-exhub-c101.redmond.corp.microsoft.com (157.54.46.185) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.1.251.2; Sun, 27 Jul 2008 08:00:08 -0700
Received: from TK5-EXMLT-W605V.wingroup.windeploy.ntdev.microsoft.com (157.54.18.79) by tk1-exhub-c101.redmond.corp.microsoft.com (157.54.46.185) with Microsoft SMTP Server id 8.1.240.5; Sun, 27 Jul 2008 08:00:08 -0700
Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80::8de9:51a2:cd62:f122]) by TK5-EXMLT-W605V.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.79]) with mapi; Sun, 27 Jul 2008 08:00:08 -0700
From: Larry Zhu <lzhu@windows.microsoft.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Date: Sun, 27 Jul 2008 08:00:06 -0700
Subject: RE: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous
Thread-Topic: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous
Thread-Index: AcjhBdrcnURfrBBrQimCXzrQUl1PtQO8yRnQ
Message-ID: <AB1E5627D2489D45BD01B84BD5B90046061C497D5D@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
References: <tsl63vhl3cf.fsf@mit.edu> <AB1E5627D2489D45BD01B84BD5B9004602C69C7A32@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <tslzlosmp8f.fsf@mit.edu>
In-Reply-To: <tslzlosmp8f.fsf@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
Cc: "ietf-krb-wg@anl.gov" <ietf-krb-wg@anl.gov>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Sam and I got together today and discussed this issue. we believe by adding the following text then we have the right trade-off.

  If anonymous PKINIT is used, the returned realm name MUST be the anonymous realm.

All the issues in this thread are assumed to have been addressed with this proposed change. This is pending workgr
--larry
-----Original Message-----
From: ietf-krb-wg-bounces@lists.anl.gov [mailto:ietf-krb-wg-bounces@lists.anl.gov] On Behalf Of Sam Hartman
Sent: Tuesday, July 08, 2008 7:21 AM
To: Larry Zhu
Cc: ietf-krb-wg@anl.gov; ietf@ietf.org
Subject: Re: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous

>>>>> "Larry" == Larry Zhu <lzhu@windows.microsoft.com> writes:

    >> First, if I call gss_display_name on an anonymous principal in
    >> an acceptor, what do I expect to get back?

    Larry> Would section 2.1.1 of RFC1964 be sufficient for this
    Larry> purpose?

not really.  As Ken pointed out, there is a significant mess

surrounding GSS-API and anonymous names.See section 4.5 in RFC 2743.
In particular, two anonymous names need to compare as false; a special
name type is used; etc.  The GSS-API semantics do not seem to match
well onto some of the Kerberos semantics you propose.

Martin Rex said that the anonymous support was relatively immature in
GSS-API and that perhaps it needed to be revisited.  I tend to agree.

The other concern I have is the multiple ways to specify anonymous
names for the AS case.  I don't understand why we need multiple ways
to do that.

--Sam

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email