Re: CAT WG Review Last-Call: draft-myers-auth-sasl-04.txt
John Gardiner Myers <jgm@cmu.edu> Fri, 02 August 1996 18:13 UTC
Received: from ietf.org by ietf.org id aa17043; 2 Aug 96 14:13 EDT
Received: from cnri by ietf.org id aa17039; 2 Aug 96 14:13 EDT
Received: from pad-thai.cam.ov.com by CNRI.Reston.VA.US id aa11799; 2 Aug 96 14:13 EDT
Received: from MIT.EDU by pad-thai.cam.ov.com (8.7.5/) with SMTP id <RAA11097@pad-thai.cam.ov.com>; Fri, 2 Aug 1996 17:32:17 GMT
Received: from PO10.ANDREW.CMU.EDU by MIT.EDU with SMTP id AA01296; Fri, 2 Aug 96 13:32:12 EDT
Received: (from postman@localhost) by po10.andrew.cmu.edu (8.7.5/8.7.3) id NAA00721 for cat-ietf@mit.edu; Fri, 2 Aug 1996 13:32:03 -0400
Received: via switchmail; Fri, 2 Aug 1996 13:32:02 -0400 (EDT)
Received: from hogtown.andrew.cmu.edu via qmail ID </afs/andrew.cmu.edu/service/mailqs/testq0/QF.Qm0XgXW00WBw00ubU0>; Fri, 2 Aug 1996 13:30:11 -0400 (EDT)
Received: from hogtown.andrew.cmu.edu via qmail ID </afs/andrew.cmu.edu/usr7/jgm/.Outgoing/QF.sm0XgWC00WBw0Yk:A0>; Fri, 2 Aug 1996 13:30:10 -0400 (EDT)
Received: from BatMail.robin.v2.14.CUILIB.3.45.SNAP.NOT.LINKED.hogtown.andrew.cmu.edu.sun4m.54 via MS.5.6.hogtown.andrew.cmu.edu.sun4_51; Fri, 2 Aug 1996 13:30:08 -0400 (EDT)
Message-Id: <Am0XgUi00WBw0Yk_00@andrew.cmu.edu>
Date: Fri, 02 Aug 1996 13:30:08 -0400
Sender: ietf-archive-request@ietf.org
From: John Gardiner Myers <jgm@cmu.edu>
To: cat-ietf@mit.edu
Subject: Re: CAT WG Review Last-Call: draft-myers-auth-sasl-04.txt
In-Reply-To: <199608021340.JAA18008@winkl.cam.ov.com>
References: <199608021340.JAA18008@winkl.cam.ov.com>
John Linn <linn@cam.ov.com> writes: > (1) The section proposes that IANA act as a comment clearinghouse, > [...]. I'm not aware of precedent for IANA assuming > this role with other registered objects: is there precedent for IANA > taking on this responsibility, and/or has it been accepted by the IANA > for this case? This text was lifted from draft-ietf-822ext-mime-reg-04.txt, which I believe is currently in IETF-wide Last Call. > (2) The section suggests that authors of SASL mechanisms are > "encouraged to seek community review and comment whenever that is > feasible", by publishing as Internet-Drafts and optionally as > Informational RFCs. Nowhere in the section is the prospect of > specifying SASL mechanisms through the IETF standards track mentioned. I personally don't see the need to belabor the obvious, though I'm certainly open to suggestios for clarifying wording. I don't see the need for the namespace complexity of draft-ietf-822ext-mime-reg-04.txt. There are going to be far fewer SASL mechanisms than media types. The situation is akin to assigning well known ports to protocols. There needs to be a registry mapping names (ports) to mechanisms (protocols). The need to register the name/port is independent of the need/desire to standardize the protocol. We encourage, but do not require the specifics of the protocol to be disclosed. If, after publishing an internet-draft as suggested by the registration document, there is community interest, then the rest of the IETF standards track process can continue. > Given the fact that the SASL document defines three mechanisms > (including GSS-API which, in turn, enables access to a variety of > underlying security technologies), I'd expect that the need to define > additional SASL-level mechanisms should be fairly rare and that, if > such additional mechanisms were required for IETF purposes, their > definitions would appropriately target the same standards-track status > (and attendant community review) that SASL itself is targeting. There is currently a mechanism named CHAP in IETF-wide Last Call. There is also an unpublished anonymous-diffie-hellman mechanism that has been developed by an SMTP server vendor. (I am currently trying to get the author of same to publish the spec as an I-D). Frankly, I have no idea if the creation/registration of new SASL mechanisms will be frequent or rare. I suppose a large part of it will depend on whether or not GSSAPI is accepted. > Re section 5.2, 2nd paragraph, should the references here to "content > type" instead say "SASL mechanism"? Yes, fixed. > Re section 6, I think it would be useful, in a cross-mechanism fashion > or in conjunction with each mechanism's definition, to state what > behavior should occur if the proferred authorization identity is not > accepted by the server. Each mechanism states that the server must "verify" such-and-such. The authorization of the identity in the credentials to authenticate as the proferred authorization identity is but one thing each mechanism requires be verified. It is a rather fundamental concept that if any verification fails, the exchange fails and the server indicates this through the method defined in the protocol's profile. Perhaps I should state this in section 3? > Re section 6.1, 2nd paragraph, 2nd sentence: are the Kerberos ticket > and authenticator included contiguously, in that order, and is any > other framing included within the message? They are included contiguously, as krb_mk_req() in the MIT API generates them. This is fairly standard in Kerberos v4-based schemes. > Re sec. 6.2.1, 3rd paragraph, and sec. 6.2.2, 2nd paragraph: both of these > paragraphs contain references to "protection mechanisms"; I believe that > they should be updated to "security layers" to match the term as used in > Sec. 6.2.3. fixed > Sec. 6.3, 4th para, typo: "musth". Was fixed based on someone else's comment. -- _.John Gardiner MyersInternet: jgm+@CMU.EDU LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
- Re: CAT WG Review Last-Call: draft-myers-auth-sas… John Gardiner Myers
- Re: CAT WG Review Last-Call: draft-myers-auth-sas… John Linn
- CAT WG Review Last-Call: draft-myers-auth-sasl-04… John Linn
- Re: CAT WG Review Last-Call: draft-myers-auth-sas… John Gardiner Myers
- Re: CAT WG Review Last-Call: draft-myers-auth-sas… Theodore Y. Ts'o