Re: [kitten] RFC2743 errata 4251
Jeffrey Hutzelman <jhutz@cmu.edu> Wed, 14 January 2015 21:12 UTC
Return-Path: <jhutz@cmu.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFE941A9071 for <kitten@ietfa.amsl.com>; Wed, 14 Jan 2015 13:12:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XKERqUma5c4V for <kitten@ietfa.amsl.com>; Wed, 14 Jan 2015 13:12:56 -0800 (PST)
Received: from smtp03.srv.cs.cmu.edu (smtp03.srv.cs.cmu.edu [128.2.217.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FF191A906C for <kitten@ietf.org>; Wed, 14 Jan 2015 13:12:55 -0800 (PST)
Received-SPF: none (cmu.edu: No applicable sender policy available) receiver=smtp03.srv.cs.cmu.edu; identity=mailfrom; envelope-from="jhutz@cmu.edu"; helo="[128.2.193.239]"; client-ip=128.2.193.239
Received: from [128.2.193.239] (minbar.fac.cs.cmu.edu [128.2.193.239]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id t0ELCo3g016785 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 14 Jan 2015 16:12:51 -0500 (EST)
Message-ID: <1421269970.18482.184.camel@minbar.fac.cs.cmu.edu>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Nico Williams <nico@cryptonector.com>
Date: Wed, 14 Jan 2015 16:12:50 -0500
In-Reply-To: <20141220001633.GD12662@localhost>
References: <alpine.GSO.1.10.1411241330400.19231@multics.mit.edu> <20141124185114.GM3200@localhost> <alpine.GSO.1.10.1412091618550.23489@multics.mit.edu> <20141209215519.GI12979@localhost> <alpine.GSO.1.10.1412091856160.23489@multics.mit.edu> <20141210002441.GP12979@localhost> <alpine.GSO.1.10.1412101349030.23489@multics.mit.edu> <548F185E.70701@mit.edu> <5492032F.9050607@mit.edu> <20141217230505.GD9443@localhost> <20141220001633.GD12662@localhost>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.3-0ubuntu6
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Scanned-By: mimedefang-cmuscs on 128.2.217.202
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/8V7hxUQxHe0Yd_50egj6z4jZGWo>
Cc: kitten@ietf.org, jhutz@cmu.edu
Subject: Re: [kitten] RFC2743 errata 4251
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 21:12:58 -0000
On Fri, 2014-12-19 at 18:16 -0600, Nico Williams wrote: > On further thought, since context deletion tokens are obsoleted, and > have been for a long time, we might as well say nothing about > GSS_S_COMPLETE implying that the peer is done using its side of the > security context. The GSS_S_FAILURE case, however, still kinda leads to > the caller being done. > > OLD PROPOSED TEXT > | Though future GSS-API extensions may add new uses of asynchronous > | security context tokens and ways to process them, applications > | using the GSS-API version 2, update 1, should generally call > | GSS_Delete_sec_context() after calling GSS_Process_context_token(), > | when the latter returns GSS_S_COMPLETE or GSS_S_FAILURE. > > NEW: > | Applications should generally call GSS_Delete_sec_context() when > | GSS_Process_context_token() returns GSS_S_FAILURE. FWIW, I agree with Greg that it's not reasonable to assume, or suggest that applications assume, that all asynchronous context tokens are deletion tokens or mean that the context is now dead. So, the above change is an improvement. However, after reading this thread, I'm not convinced we need to give applications any guidance about calling GSS_Delete_sec_context after processing a context token. Nico thinks that saying "generally" makes it OK, but I disagree. The word "generally" here isn't an effective weasel word; it's a particle. If you describe what the exceptions are, you don't need it, and if you don't, then it doesn't do you any good. Implementors are going to read the text as if the word wasn't there. I think it is worth noting that if we start giving new implementation guidance to applications in an erratum, people who read it will assume it must be important and start doing that, because otherwise, why did we go out of our way to publish an erratum? The purpose of errata is to fix technical or editorial errors and omissions in the existing spec. They are not for changing the spec or offering new guidance. We should stick to doing the former, and leave the latter for a new or updated document, if it's necessary. -- Jeff
- [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Martin Rex
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Greg Hudson
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Greg Hudson
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Greg Hudson
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Martin Rex
- Re: [kitten] RFC2743 errata 4251 Martin Rex
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Martin Rex
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Stephen Farrell
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Martin Rex
- Re: [kitten] RFC2743 errata 4251 Stephen Farrell
- Re: [kitten] RFC2743 errata 4251 Greg Hudson
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Jeffrey Hutzelman
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Benjamin Kaduk
- Re: [kitten] RFC2743 errata 4251 Nico Williams
- Re: [kitten] RFC2743 errata 4251 Greg Hudson
- Re: [kitten] RFC2743 errata 4251 Jeffrey Hutzelman