Re: Please review: http gss authentication mech
Nicolas Williams <Nicolas.Williams@sun.com> Thu, 16 November 2006 21:49 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gkp7N-0005hM-5H; Thu, 16 Nov 2006 16:49:57 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gkp7L-0005dP-F6 for kitten@ietf.org; Thu, 16 Nov 2006 16:49:55 -0500
Received: from nwkea-mail-5.sun.com ([192.18.42.27]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gkp7K-0005Tu-3w for kitten@ietf.org; Thu, 16 Nov 2006 16:49:55 -0500
Received: from centralmail4brm.central.Sun.COM ([129.147.62.198]) by nwkea-mail-5.sun.com (8.13.6+Sun/8.12.9) with ESMTP id kAGLnrtI008080 for <kitten@ietf.org>; Thu, 16 Nov 2006 13:49:53 -0800 (PST)
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail4brm.central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id kAGLnqH1023988 for <kitten@ietf.org>; Thu, 16 Nov 2006 14:49:53 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6) with ESMTP id kAGLnqYY004855; Thu, 16 Nov 2006 15:49:52 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6/Submit) id kAGLnqwg004854; Thu, 16 Nov 2006 15:49:52 -0600 (CST)
Date: Thu, 16 Nov 2006 15:49:52 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Tim Alsop <Tim.Alsop@CyberSafe.Com>
Message-ID: <20061116214952.GU25646@binky.Central.Sun.COM>
Mail-Followup-To: Tim Alsop <Tim.Alsop@CyberSafe.Com>, Leif Johansson <leifj@it.su.se>, Kitten <kitten@ietf.org>, Lisa Dusseault <lisa@osafoundation.org>
References: <4553B51E.9080006@it.su.se> <0D8F2EFD3A10E24DAEEA48EA6DA07D30299547@postman-pat.csafe.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0D8F2EFD3A10E24DAEEA48EA6DA07D30299547@postman-pat.csafe.local>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: Kitten <kitten@ietf.org>, Lisa Dusseault <lisa@osafoundation.org>
Subject: Re: Please review: http gss authentication mech
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Errors-To: kitten-bounces@lists.ietf.org
On Fri, Nov 10, 2006 at 04:19:42PM +0000, Tim Alsop wrote: > > I am under the impression that the proposed SASL mechanism doesn't > support channel > > bindings, partially because channel bindings have been a notoriously > difficult problem to get > > right in SASL space. Personally I din't see the value of adding the > extra layer of glue. > > My understanding is that, if SASL is using GSS/Kerberos to protect HTTP > communications, then GSS channel bindings can be used, so SASL does not > need to have direct support for channel bindings. This is an advantage > of using a multi-layered architecture. Your understanding is wrong. First of all, there's an API issue -- which, since the IETF does not standardize a SASL API you might hand wave away. Second, there's a semantic issue, and this is far more important. Rather than re-hash this here you might want to look at the SASL WG mailing list archives and the gs2 I-D (draft-ietf-sasl-gs2) and its evolution. Then you'll understand why GSS channel bindings in the SASL "GSSAPI" mechanism are generally not usable. Third, we need channel binding to TLS to avoid re-doing the GSS (or SASL) authentication over and over, and so what's the point of using SASL if the only SASL mechs that would support channel binding were the GSS-based ones (using SASL/gs2)? And if channel binding support is added to SASL MD5-DIGEST, with the same semantics, can't we also add a GSS-API mechanism that uses the same credentials as MD5-DIGEST? And why isn't HTTP MD5-DIGEST good enough anyways? And what other SASL mechanisms did you want to use with this? Nico -- _______________________________________________ Kitten mailing list Kitten@lists.ietf.org https://www1.ietf.org/mailman/listinfo/kitten
- Please review: http gss authentication mech Leif Johansson
- Re: Please review: http gss authentication mech Michael B Allen
- Re: Please review: http gss authentication mech Leif Johansson
- Re: Please review: http gss authentication mech Leif Johansson
- Re: Please review: http gss authentication mech RL 'Bob' Morgan
- RE: Please review: http gss authentication mech Tim Alsop
- RE: Please review: http gss authentication mech Tim Alsop
- RE: Please review: http gss authentication mech Tim Alsop
- Re: Please review: http gss authentication mech Lisa Dusseault
- Re: Please review: http gss authentication mech Leif Johansson
- Re: Please review: http gss authentication mech Leif Johansson
- Re: Please review: http gss authentication mech Martin Rex
- Re: Please review: http gss authentication mech Michael B Allen
- Re: Please review: http gss authentication mech Leif Johansson
- Re: Please review: http gss authentication mech Martin Rex
- Re: Please review: http gss authentication mech Leif Johansson
- Re: Please review: http gss authentication mech Michael B Allen
- Re: Please review: http gss authentication mech Martin Rex
- Re: Please review: http gss authentication mech Martin Rex
- Re: Please review: http gss authentication mech Martin Rex
- Session Token and Delegation (was Re: Please revi… Michael B Allen
- Preemptive Authentication by Clients (was Re: Ple… Michael B Allen
- Re: Session Token and Delegation (was Re: Please … Martin Rex
- Re: Please review: http gss authentication mech Michael B Allen
- Re: Please review: http gss authentication mech Michael B Allen
- Re: Please review: http gss authentication mech Martin Rex
- Re: Session Token and Delegation (was Re: Please … Leif Johansson
- Re: Please review: http gss authentication mech Martin Rex
- Re: Please review: http gss authentication mech Michael B Allen
- Re: Please review: http gss authentication mech Martin Rex
- Re: Please review: http gss authentication mech Nicolas Williams
- Re: Please review: http gss authentication mech Nicolas Williams
- RE: Please review: http gss authentication mech Tim Alsop
- RE: Please review: http gss authentication mech Tim Alsop
- Re: Please review: http gss authentication mech Nicolas Williams
- RE: Please review: http gss authentication mech Tim Alsop
- Re: Please review: http gss authentication mech Martin Rex
- Re: Please review: http gss authentication mech Nicolas Williams
- Re: Please review: http gss authentication mech Nicolas Williams
- Re: Please review: http gss authentication mech Nicolas Williams
- Re: Please review: http gss authentication mech Nicolas Williams
- Re: Please review: http gss authentication mech Michael B Allen
- Re: Session Token and Delegation (was Re: Please … Nicolas Williams
- Re: Please review: http gss authentication mech Nicolas Williams
- Re: Please review: http gss authentication mech Nicolas Williams
- Re: Please review: http gss authentication mech Leif Johansson
- Re: Please review: http gss authentication mech Nicolas Williams
- Re: Please review: http gss authentication mech Martin Rex
- Re: Please review: http gss authentication mech Nicolas Williams