IETF Logo Mail Archive

Re: Please review: http gss authentication mech

Nicolas Williams <Nicolas.Williams@sun.com> Fri, 17 November 2006 16:57 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gl71V-0006Ip-5m; Fri, 17 Nov 2006 11:57:05 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gl71T-0006If-IU for kitten@ietf.org; Fri, 17 Nov 2006 11:57:03 -0500
Received: from brmea-mail-1.sun.com ([192.18.98.31]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gl71N-0004lz-Q5 for kitten@ietf.org; Fri, 17 Nov 2006 11:57:03 -0500
Received: from centralmail3brm.Central.Sun.COM ([129.147.62.199]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id kAHGuvAM013036 for <kitten@ietf.org>; Fri, 17 Nov 2006 09:56:57 -0700 (MST)
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail3brm.Central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id kAHGuuvv020298 for <kitten@ietf.org>; Fri, 17 Nov 2006 09:56:57 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6) with ESMTP id kAHGuuvr005212; Fri, 17 Nov 2006 10:56:56 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6/Submit) id kAHGuukw005211; Fri, 17 Nov 2006 10:56:56 -0600 (CST)
Date: Fri, 17 Nov 2006 10:56:56 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Leif Johansson <leifj@it.su.se>
Message-ID: <20061117165656.GA25646@binky.Central.Sun.COM>
Mail-Followup-To: Leif Johansson <leifj@it.su.se>, Lisa Dusseault <lisa@osafoundation.org>, Kitten <kitten@ietf.org>
References: <45538042.5020301@it.su.se> <D4AB6E5A-F507-4C3E-A0A0-23FCF4449D87@osafoundation.org> <4558D48A.9080208@it.su.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4558D48A.9080208@it.su.se>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e8a67952aa972b528dd04570d58ad8fe
Cc: Kitten <kitten@ietf.org>, Lisa Dusseault <lisa@osafoundation.org>
Subject: Re: Please review: http gss authentication mech
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Errors-To: kitten-bounces@lists.ietf.org

On Mon, Nov 13, 2006 at 09:24:42PM +0100, Leif Johansson wrote:
> Lisa Dusseault wrote:
> > - I'd personally prefer MUST-language that does not say that the
> > client or server "MUST call gss_foo_bar".   Instead, the requirements
> > could be that the client or server MUST use the token that would
> > result from a call to gss_foo_bar.  This may be an un-GSS way of doing
> > things :)
> I was looking for a better way to write this. This sounds like a win and
> I don't think it is very un-GSS at all.

Check out some of the other RFCs and I-Ds that do this (RFC2203,
RFC2222, RFC2228, RFC3645, RFC4462, draft-ietf-sasl-gssapi,
draft-ietf-sasl-gs2).

> > - Explain the limits on the number of roundtrips (current spec text
> > says "This process continues until either an error occurs or the
> > GSS-API layer has successfully completed...").
> >
> That may be more difficult. In practice there are few situations where
> more than (say) 5 roundtrips are
> ever needed and in many cases 1 or 2 are enough but in general GSS have
> few hard limits. The same
> question came up during the discussion of GSS-TLS on friday. I don't
> have a good answer to this at
> this time.

There is always a finite maximum number of round-trips.  There's no API
to inquire what that would be for a given GSS mechanism (or for all
available mechanisms), but a) we could provide such an API, b) such data
could be hardcoded as a last resort.

But, why is this needed?

> > - How would a GUI client (browser or rich client) know whether to
> > present a "Login" button?  Imagine a client browsing a
> > publicly-readable archive in HTML or WebDAV -- with anonymous read
> > requests, the may see all kinds of documents.  Yet if the client can
> > authenticate and get more permissions, the client might see new stuff
> > (e.g. additional documents, links to edit documents, or with WebDAV
> > see write permission available on ACL queries and know to enable
> > "upload" and "change" UIs in response).
> How does a client ever know that?

It might know from: context, configuration, and/or, much more likely,
from application-level data sent by the server.

In the NFSv4 case, for example, the negotiation is at the application
layer (i.e., in NFSv4, not in RPC or RPCSEC_GSS), and the server may
want different mechanisms to be used for different subsets of its
filesystems.

WebDAV should probably follow that model.

And HTML too should follow it.  Meaning we need an element by which the
server can tell the client that "if the user clicks on this, then
authenticate using HTTP-GSS + channel binding to TLS."

Specification of all such app-layer bits are well beyond the scope of
Leif's I-Ds, and, in some cases (e.g., HTML), well beyond the scope of
the IETF.

Nico
-- 

_______________________________________________
Kitten mailing list
Kitten@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email