Re: [kitten] RFC2743 errata 4251

Greg Hudson <ghudson@mit.edu> Wed, 17 December 2014 22:27 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D1A1A7008 for <kitten@ietfa.amsl.com>; Wed, 17 Dec 2014 14:27:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4B247ZK0339c for <kitten@ietfa.amsl.com>; Wed, 17 Dec 2014 14:27:05 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E89A31A6FDB for <kitten@ietf.org>; Wed, 17 Dec 2014 14:27:04 -0800 (PST)
X-AuditID: 1209190c-f79e46d000000eb2-4e-5492033790e7
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 2A.A6.03762.73302945; Wed, 17 Dec 2014 17:27:03 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id sBHMQvwH002673; Wed, 17 Dec 2014 17:26:58 -0500
Received: from [18.101.8.137] (vpn-18-101-8-137.mit.edu [18.101.8.137]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sBHMQtOF025332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 17 Dec 2014 17:26:57 -0500
Message-ID: <5492032F.9050607@mit.edu>
Date: Wed, 17 Dec 2014 17:26:55 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@mit.edu>, Nico Williams <nico@cryptonector.com>
References: <20141104204714.GI7913@localhost> <20141108014820.3278A1AFAB@ld9781.wdf.sap.corp> <20141110162504.GA3412@localhost> <alpine.GSO.1.10.1411241330400.19231@multics.mit.edu> <20141124185114.GM3200@localhost> <alpine.GSO.1.10.1412091618550.23489@multics.mit.edu> <20141209215519.GI12979@localhost> <alpine.GSO.1.10.1412091856160.23489@multics.mit.edu> <20141210002441.GP12979@localhost> <alpine.GSO.1.10.1412101349030.23489@multics.mit.edu> <548F185E.70701@mit.edu>
In-Reply-To: <548F185E.70701@mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrOIsWRmVeSWpSXmKPExsUixCmqrWvOPCnE4PcVA4ujm1exWJy6doTN gcnj5alzjB5LlvxkCmCK4rJJSc3JLEst0rdL4MpY/+I1e8Fsnoo/336yNjB+5exi5OCQEDCR OLPfqYuRE8gUk7hwbz1bFyMXh5DAYiaJi+enM0E4GxklFv9oZIdwjjBJLDp9mRGkhVdATaJl 2kMmEJtFQFVizf2ZLCA2m4CyxPr9W1lANogKhElMXcoDUS4ocXLmE7CwiICnxIfpRiBhZgFh iQvb97KC2MICmhI7v95ihVh1g1li25FOZpAEJ9D4w7+esUM06EnsuP6LFcKWl2jeOpt5AqPg LCQrZiEpm4WkbAEj8ypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdQ73czBK91JTSTYzg8JXk2cH4 5qDSIUYBDkYlHt4X1yeECLEmlhVX5h5ilORgUhLl3fV+YogQX1J+SmVGYnFGfFFpTmrxIUYJ DmYlEV7zX0A53pTEyqrUonyYlDQHi5I476YffCFCAumJJanZqakFqUUwWRkODiUJ3mymSSFC gkWp6akVaZk5JQhpJg5OkOE8QMO3g9TwFhck5hZnpkPkTzEqSonzrgBJCIAkMkrz4Hph6eUV ozjQK8K8EiBVPMDUBNf9CmgwE9DgyZ/7QQaXJCKkpBoY/Raq9mUXfzyy+tGlx/pf5b+qnby+ tenQ8f/zcqa/W993+1/Cw59icgXzUj5N2G29ae787U3Lji6buXLOWm4W1/k+Spdnva7IzKwT yY+s+KI49bXHttOCeZ9PnYrvP/lOUEvBLKW1wjC8d/Fnnbf+0w9+PNXJLflX25BZbbPcbaVF X7/m3lxi7KjEUpyRaKjFXFScCAA/g+ADCgMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/6GVdL606klzDEHXbKPEtfgTUfHc
Cc: kitten@ietf.org
Subject: Re: [kitten] RFC2743 errata 4251
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 22:27:07 -0000

On 12/15/2014 12:20 PM, Greg Hudson wrote:
> On 12/10/2014 01:57 PM, Benjamin Kaduk wrote:
>>      Though future GSS-API extensions may add new uses of asynchronous
>>      security context tokens and ways to process them, applications
>>      using the GSS-API version 2, update 1, should generally call
>>      GSS_Delete_sec_context() after calling GSS_Process_context_token(),
>>      when the latter returns GSS_S_COMPLETE or GSS_S_FAILURE.
> 
> I don't like the wording of this part.  Encouraging applications to
> assume that context tokens destroy the context essentially closes the
> door to specifying context tokens which don't.

Let me rephrase this objection:

I think the scope of this erratum should be limited to making it
possible for conforming gss_process_context_token implementations to
convey peer error token information to callers.  As Ben said yesterday,
the inability to do so is a clear defect in the spec, which makes it
appropriate fodder for an erratum.

The proposed text goes beyond that scope by giving guidance on how to
respond to GSS_S_COMPLETE.  That guidance assumes that async context
token types are limited to the ones mentioned in section 2.2.4:
(deletion tokens and error tokens resulting from the final synchronous
token).  Because this assumption does not match my reading of the
existing text, I don't think providing such additional guidance about
GSS_S_COMPLETE is appropriate for an erratum.  I also don't think
clarifying this point is important enough to justify a document revision.