Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL mechanism' to Proposed Standard (draft-ietf-sasl-gssapi)
Nicolas Williams <Nicolas.Williams@sun.com> Mon, 28 August 2006 21:47 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHowf-0000gM-4z; Mon, 28 Aug 2006 17:47:01 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHowe-0000gD-Bw; Mon, 28 Aug 2006 17:47:00 -0400
Received: from brmea-mail-4.sun.com ([192.18.98.36]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHowY-00053A-Or; Mon, 28 Aug 2006 17:47:00 -0400
Received: from centralmail4brm.central.Sun.COM ([129.147.62.198]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id k7SLksXX021484; Mon, 28 Aug 2006 15:46:54 -0600 (MDT)
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail4brm.central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id k7SLkris014720; Mon, 28 Aug 2006 15:46:53 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6) with ESMTP id k7SLkqbm024196; Mon, 28 Aug 2006 16:46:52 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6/Submit) id k7SLkpPV024195; Mon, 28 Aug 2006 16:46:51 -0500 (CDT)
Date: Mon, 28 Aug 2006 16:46:51 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Mark Crispin <MRC@CAC.Washington.EDU>
Message-ID: <20060828214650.GR10208@binky.Central.Sun.COM>
Mail-Followup-To: Mark Crispin <MRC@CAC.Washington.EDU>, iesg@ietf.org, kitten@ietf.org, ietf-sasl@imc.org
References: <E1GHnYk-0006tr-P2@stiedprstage1.ietf.org> <Pine.WNT.4.65.0608281325160.4760@Tomobiki-Cho.CAC.Washington.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Pine.WNT.4.65.0608281325160.4760@Tomobiki-Cho.CAC.Washington.EDU>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: kitten@ietf.org, ietf-sasl@imc.org, iesg@ietf.org
Subject: Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL mechanism' to Proposed Standard (draft-ietf-sasl-gssapi)
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Errors-To: kitten-bounces@lists.ietf.org
On Mon, Aug 28, 2006 at 01:39:42PM -0700, Mark Crispin wrote: > > I request consideration of the following changes prior to publication. > > Page 4, first paragraph, please change: > [...] When calling the GSS_Init_sec_context the client > MUST pass the integ_req_flag of TRUE. > to > [...] When calling the GSS_Init_sec_context the client > SHOULD pass the integ_req_flag of TRUE. > > Otherwise, publication of this document would have the effect of declaring > existing deployed software to be non-compliant. I agree that this change > is desirable, but I disagree about retroactively declaring existing > software broken. If the WG feels strongly enough, it'd be alright to have > something in the security considerations saying that earlier versions did > not require the integ_req_flag, but all new implementations ought to have > it and old implementations fixed. Since this is all specific to the Kerberos V GSS-API mechanism I think the value of this flag is irrelevant, so this change should not render any earlier implementations non-compliant in terms of their on-the-wire behaviour. (At least one implementation of the Kerberos V GSS mechanism used to leave out confidentiality protection, but none, to my knowledge, fails to provide MIC and/or wrap tokens when integ_req_flag == false in the call to GSS_Init_sec_context().) > Suggested changes (this is just cosmetic): > > Page 5, second paragraph, change > [...] chan_binding of NULL > to: > [...] chan_binding of GSS_C_NO_CHANNEL_BINDINGS > > Similarly for page 7 in the third paragraph of the Security > Considerations. GSS_C_NO_CHANNEL_BINDINGS is only defined in the C bindings of the GSS-API (RFC2744), whereas the base GSS-API specification (RFC2743) uses "NULL" to mean "no channel bindings" (e.g., "...where NULL channel bindings..." and "[w]hen non-NULL channel bindings are provided"). Nico -- _______________________________________________ Kitten mailing list Kitten@lists.ietf.org https://www1.ietf.org/mailman/listinfo/kitten
- Last Call: 'The Kerberos V5 ("GSSAPI") SASL mecha… The IESG
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Kurt D. Zeilenga
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Kurt D. Zeilenga
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Altman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Simon Josefsson
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Simon Josefsson
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Simon Josefsson
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman