Re: Working Group Last Call (Take Two): Desired Enhancements to GSSAPI
Martin Rex <martin.rex@sap.com> Fri, 21 April 2006 21:24 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FX36r-0003Pf-Ti; Fri, 21 Apr 2006 17:24:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FX36q-0003PK-D8 for kitten@lists.ietf.org; Fri, 21 Apr 2006 17:24:12 -0400
Received: from smtpde03.sap-ag.de ([155.56.68.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FX36q-00083w-0D for kitten@lists.ietf.org; Fri, 21 Apr 2006 17:24:12 -0400
Received: from sap-ag.de (smtpde03) by smtpde03.sap-ag.de (out) with ESMTP id XAA12756; Fri, 21 Apr 2006 23:23:48 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200604212123.XAA29342@uw1048.wdf.sap.corp>
To: jaltman@columbia.edu
Date: Fri, 21 Apr 2006 23:23:46 +0200
In-Reply-To: <4446B039.9000806@columbia.edu> from "Jeffrey Altman" at Apr 19, 6 05:48:41 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc: kitten@lists.ietf.org
Subject: Re: Working Group Last Call (Take Two): Desired Enhancements to GSSAPI
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Errors-To: kitten-bounces@lists.ietf.org
Jeffrey Altman wrote: > > This note announces the start of a two week working group last call > for the Kitten work item "Desired Enhancements to GSSAPI Naming". > http://www.ietf.org/internet-drafts/draft-ietf-kitten-gss-naming-04..txt One thing that hasn't be addressed, but which is probably an issue (in particular with the IESG...): I18N. The C-Bindings document mentions at one place that printable strings use the ISO Latin 1 codepage, but what actual implementations of GSS-API mechanism really use (and what applications expect) varies. e.g. we do ship our application (and a particular oem library with a gssapi mechanism) for two native EBCDIC platforms (OS/390 and OS/400), and both use an EBCDIC codepage for the printables -- which differs from ISO Latin 1 even for 7-bit ASCII (IA5) characters. Even for language bindings that natively support Unicode (like Java), the use of non-ASCII characters in the underlying GSS-API mechanism may create interoperability problems, i.e. with Kerberos 5 principal names and rfc1510 communication peers. It might be a good idea if a gssapi mechanism and an application caller (of the GSS-API C-Bindings) could agree on (or negotiate) the use of UTF8-strings for printables instead of the currently defined ISO-Latin-1 per rfc-2744 and the (de-facto) implementation defined behaviour of exisiting implementations. Supporting UTF-8 for printables (and have mechanism and application negotiate or agree upon this) will usually require code changes in both. I may be forced to implement a proprietary extension for interoperabitity of third-party gssapi libraries with our application through an additional API call (for "negotiating" the use of UTF-8 for printables) for our east european and asian customers. The use of non-ASCII and non-ISO-Latin-1 characters within Subject DNames of X.509 certs is quite popular there and so is the use of SPKM or SPKM-like gssapi mechanisms for Single Sign-On. printable strings are "names" as input parameter to gss_import_name() and output parameter from gss_display_name() as well as the textual representations of minor and major status codes as returned from gss_display_status(). Thoughts? Experiences? Has anyone else encountered I18N issues with GSS-API (C-Bindings) or already devised a solution? What codepage does your (gss-api) implementation use or your application expect/use? AFAIK MIT Kerberos 5 has traditionally use the "just send 8(-bit)" not just on the network, but also at the (GSS-)API. -Martin _______________________________________________ Kitten mailing list Kitten@lists.ietf.org https://www1.ietf.org/mailman/listinfo/kitten
- Re: Internationalization Martin Rex
- Working Group Last Call (Take Two): Desired Enhan… Jeffrey Altman
- RE: Working Group Last Call (Take Two): Desired E… Justad, Paul (RBC Centura Bank)
- Re: Working Group Last Call (Take Two): Desired E… Martin Rex
- Re: Working Group Last Call (Take Two): Desired E… Nicolas Williams
- Re: Working Group Last Call (Take Two): Desired E… Sam Hartman
- Re: Working Group Last Call (Take Two): Desired E… Jeffrey Altman
- Re: Working Group Last Call (Take Two): Desired E… Jeffrey Hutzelman
- Re: Working Group Last Call (Take Two): Desired E… Nicolas Williams
- Internationalization Sam Hartman
- Re: Internationalization Jeffrey Hutzelman
- Re: Internationalization Nicolas Williams
- Re: Internationalization Sam Hartman
- Re: Internationalization Martin Rex
- Re: Internationalization Nicolas Williams
- Re: Working Group Last Call (Take Two): Desired E… Jeffrey Altman