Re: WGLC on draft-ietf-kitten-rfc2853bis-04
"Mayank Upadhyay" <mayank+ietf-kitten@google.com> Fri, 25 July 2008 21:05 UTC
Return-Path: <kitten-bounces@ietf.org>
X-Original-To: kitten-archive@megatron.ietf.org
Delivered-To: ietfarch-kitten-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA0873A685F; Fri, 25 Jul 2008 14:05:30 -0700 (PDT)
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 117F33A685F for <kitten@core3.amsl.com>; Fri, 25 Jul 2008 14:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.976
X-Spam-Level:
X-Spam-Status: No, score=-101.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cTB7lsQpWGmJ for <kitten@core3.amsl.com>; Fri, 25 Jul 2008 14:05:28 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id E1E043A680D for <kitten@ietf.org>; Fri, 25 Jul 2008 14:05:27 -0700 (PDT)
Received: from spaceape8.eur.corp.google.com (spaceape8.eur.corp.google.com [172.28.16.142]) by smtp-out.google.com with ESMTP id m6PL5Ike019899 for <kitten@ietf.org>; Fri, 25 Jul 2008 22:05:18 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1217019918; bh=qFp8LYdOARgqbZUsjToqg686Me0=; h=DomainKey-Signature:Message-ID:Date:From:Sender:To:Subject:Cc: MIME-Version:Content-Type:X-Google-Sender-Auth; b=cDt5HAifbYo3ByEk //e7tO19L//kGuArJp4OOWWU+InetVRNkqTOSG3ALt7RrdGMiEJLTL2EmCm0RlCs7oK 8uQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=message-id:date:from:sender:to:subject:cc:mime-version: content-type:x-google-sender-auth; b=NHxERv2Y04sQeyP9DiwBkbqj9n+uKPX29gSvc3qmlFd8ac0OTAQGGOZ8EDqyDnsli h1wHFCfmnRtSx4u1IqJcA==
Received: from hs-out-0708.google.com (hsjj58.prod.google.com [10.44.36.58]) by spaceape8.eur.corp.google.com with ESMTP id m6PL4vqi016086 for <kitten@ietf.org>; Fri, 25 Jul 2008 14:05:17 -0700
Received: by hs-out-0708.google.com with SMTP id j58so538133hsj.6 for <kitten@ietf.org>; Fri, 25 Jul 2008 14:05:16 -0700 (PDT)
Received: by 10.100.144.11 with SMTP id r11mr3785201and.52.1217019915897; Fri, 25 Jul 2008 14:05:15 -0700 (PDT)
Received: by 10.100.126.4 with HTTP; Fri, 25 Jul 2008 14:05:15 -0700 (PDT)
Message-ID: <6f7ed4930807251405q123e71fh2169502e135d22d2@mail.gmail.com>
Date: Fri, 25 Jul 2008 14:05:15 -0700
From: Mayank Upadhyay <mayank+ietf-kitten@google.com>
To: Wesley Leggette <wleggette@cleversafe.com>
Subject: Re: WGLC on draft-ietf-kitten-rfc2853bis-04
MIME-Version: 1.0
X-Google-Sender-Auth: b2b509cb6b9f8acc
Cc: kitten@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1341607933=="
Sender: kitten-bounces@ietf.org
Errors-To: kitten-bounces@ietf.org
Wesley, It's not unusual for the base Java platform (J2SE) to have additional requirements over what the JGSS API defines. Interaction with JAAS has traditionally been one of those areas. JGSS is unique in the sense that the API was originally defined at the IETF, but since it is included in J2SE, it also had to go though the Java Community Process (JCP) to be adopted. The JCP experts group placed additional requirements that had to do with JAAS interaction. These were only specified in the javadocs for J2SE (e.g., http://java.sun.com/javase/6/docs/api/org/ietf/jgss/package-summary.html#useSubjectCredsOnly), and not in the JGSS RFC. It was also realized at the time, that we would need a way to convert back from GSSCredential to a JAAS Subject. So Sun provided an API specific to Sun's JRE to do this. Please see: http://java.sun.com/javase/6/docs/jre/api/security/jgss/spec/com/sun/security/jgss/GSSUtil.html. It wasn't pushed through as a standard J2SE API because we were unsure if it would suffice. Perhaps the best thing to do would be to take the issue up with Sun and ask if the com.sun.jgss.GSSUtil API could be moved into J2SE as part of a standard auth package like javax.security.auth? There are already other classes in this and its sub-packages related to this space. -Mayank 2008/7/22 kitten-request <kitten-request@ietf.org>: Today's Topics: 1. Re: WGLC on draft-ietf-kitten-rfc2853bis- > > 04 (Wesley Leggette) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 21 Jul 2008 22:22:17 -0500 > From: Wesley Leggette <wleggette@cleversafe.com> > Subject: Re: WGLC on draft-ietf-kitten-rfc2853bis-04 > To: <kitten@ietf.org> > Message-ID: <C4AABC99.79C7%wleggette@cleversafe.com<C4AABC99.79C7%25wleggette@cleversafe.com> > > > Content-Type: text/plain; charset="US-ASCII" > > By way of introduction, I am a senior software developer at Cleversafe, > Inc. > We are developing a "dispersed" storage technology called "dsNet" and have > been using GSS-API within our new security framework. Our code is written > in > Java and the aspects of GSS-API we are especially interested in is the > authentication negotiation with SPNEGO and credential delegation features. > > We anticipate migrating to Kerberos and SPKM authentication but realize > that > our users will require support for password-based authentication as well > and > to that end have implemented a password-based authentication mechanism > based > heavily on SSHv2. > > Working with GSS-API on an alternate mechanism (especially one that > requires > multiple exchanges) has uncovered a few bugs in the Java GSS-API and SPNEGO > implementations, which is somewhat interesting. (We plan on taking this up > with Sun directly. I just mentioned it here for color.) > > But to the point, because we have decided to integrate heavily with the > Java > Authentication and Authorization Service we've found that the major > shortcoming of the GSS-API Java bindings is the lack of a mechanism > independent way of obtaining java Subject objects for both the local and > delegated credentials of a GSSContext. > > I can anticipate that Java-specific (especially JAAS-specific) objects were > purposefully omitted from the Java bindings. Was this the case and if so > what was the rationale? If this was not purposefully omitted I would > request > that this be considered for this draft. > > Wesley Leggette > Senior Software Developer > Cleversafe, Inc. > http://www.cleversafe.com > > > > > ------------------------------ > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > > > End of Kitten Digest, Vol 46, Issue 2 > *************************************
_______________________________________________ Kitten mailing list Kitten@ietf.org https://www.ietf.org/mailman/listinfo/kitten
- WGLC on draft-ietf-kitten-rfc2853bis-04 Shawn M Emery
- Re: WGLC on draft-ietf-kitten-rfc2853bis-04 Wesley Leggette
- Re: WGLC on draft-ietf-kitten-rfc2853bis-04 Mayank Upadhyay
- Re: WGLC on draft-ietf-kitten-rfc2853bis-04 Wesley Leggette