Re: comments on the latest GSSAPI draft changes

Michael Richardson <mcr@sandelman.ottawa.on.ca> Fri, 15 October 1999 19:50 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id MAA04265; Fri, 15 Oct 1999 12:50:51 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA05644 Fri, 15 Oct 1999 14:20:20 -0400 (EDT)
Message-Id: <199910151815.OAA01745@pzero.sandelman.ottawa.on.ca>
To: ipsec@lists.tislabs.com
Subject: Re: comments on the latest GSSAPI draft changes
In-reply-to: Your message of "Thu, 14 Oct 1999 11:29:59 PDT." <19398D273324D3118A2B0008C7E9A56902751614@SIT.platinum.corp.microsoft.com>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset="US-ASCII"
Date: Fri, 15 Oct 1999 14:15:14 -0400
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Exchange" == Exchange  <Brian> writes:
    Exchange> Agreed.  But, shipping based on internet drafts is a necessary
    Exchange> evil.  Given that some vendors find this necessary, the

  No, it is just evil. XAUTH/GSSAPI/etc. should not have specified numbers
at *ALL*

  The ISAKMP protocol provides for ways for vendors to use the private
address space in a nice fashion. It is called the Vendor ID payload.

    Exchange> So the question still remains: will the arbitrary ID changes be
    Exchange> put back to their original values, or will we have a large
    Exchange> divergence from the IDs in the draft, and IDs in the
    Exchange> marketplace?

  If you ship with VendorID you won't care.
  If you ship with bare IDs from the private address range you will get
toasted at every single bakeoff, and your product will likely fail to
be certified.

] Train travel features AC outlets with no take-off restrictions|  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface

iQB1AwUBOAdvMI5hrHmwwFrtAQFJJwL9E5/nU5UiuDAgpK0dAcLPJQV0QH5BOEN4
THXkqN/gfmTnWp11m7BBHRvIoK/ZI5kGMWDQfMqC1QfnzJ+saZxwn6iAx20lkzcT
utlTWN5KVfsixmVPYZjgFrAteUGbS11O
=2L65
-----END PGP SIGNATURE-----