IETF Logo Mail Archive

Re: [kitten] Updating IANA krb5 GSSAPI token type registry

Sam Hartman <hartmans-ietf@mit.edu> Thu, 06 March 2014 10:20 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39B221A022F for <kitten@ietfa.amsl.com>; Thu, 6 Mar 2014 02:20:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pl26XVLr4ZvC for <kitten@ietfa.amsl.com>; Thu, 6 Mar 2014 02:20:29 -0800 (PST)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id E87091A0220 for <kitten@ietf.org>; Thu, 6 Mar 2014 02:20:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 39643206AA; Thu, 6 Mar 2014 05:15:55 -0500 (EST)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvWZGnC_JWSX; Thu, 6 Mar 2014 05:15:55 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (unknown [130.129.155.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Thu, 6 Mar 2014 05:15:51 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id F40FB83F8E; Thu, 6 Mar 2014 05:20:19 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Benjamin Kaduk <kaduk@MIT.EDU>
References: <20130806223553.CD3401A8EC@ld9781.wdf.sap.corp> <29F4D66E-3E8F-4033-8779-8EA158C1B72A@padl.com> <alpine.GSO.1.10.1308062018070.24720@multics.mit.edu> <alpine.GSO.1.10.1309041148130.16692@multics.mit.edu> <alpine.GSO.1.10.1403041135510.1213@multics.mit.edu> <tslzjl4ohbn.fsf@mit.edu> <1394031556.4290.53.camel@destiny.pc.cs.cmu.edu> <5317BD6E.6080309@oracle.com> <alpine.GSO.1.10.1403051916110.1213@multics.mit.edu>
Date: Thu, 06 Mar 2014 05:20:19 -0500
In-Reply-To: <alpine.GSO.1.10.1403051916110.1213@multics.mit.edu> (Benjamin Kaduk's message of "Wed, 5 Mar 2014 19:41:20 -0500 (EST)")
Message-ID: <tslpplzvdb0.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/4yCoWrrtJOaXDNCmLhw4y0Utt-g
Cc: kitten@ietf.org
Subject: Re: [kitten] Updating IANA krb5 GSSAPI token type registry
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 10:20:30 -0000

So, my understanding of the situation is that we have an implementation
that has chosen to ship code prior to completion of a spec in two
instances.

1) CFX.  In that instance, the spec evolved differently than anticipated
and no longer standardizes the behavior MIT implements.

2) Iakerb.  There, we still expect that the spec will use the same value
as MIT.

In the CFX case, I don't actually see any significant harm that would
result if we were to  assign the codepoint MIT uses to something else.
It would be bad if we assigned that codepoint to some token other than a
context deletion token intended to be passed into
gss_process_context_token.
However, there are no such tokens and there are no extensions under
discussion that would create such tokens.

In general, when you ship a draft, you take on responsibility for
dealing if the IETF process doesn't go the way you anticipate.  Doing
that is part of doing business; it's definitely the case that there are
times when you end up shipping based on drafts.
I'm aware of the iakerb issue, and if iakerb moves forward at a
reasonable speed, I'll certainly keep its assignment preference in mind
when reviewing other allocations.

IANA expert decisions can be appealed; you'd first file an appeal with
me, and then I'm not sure whether it goes to the IESG as a whole or the
security AD.

v2.23.0 | Report a Bug | By Email