IETF Logo Mail Archive

Re: [kitten] Updating IANA krb5 GSSAPI token type registry

Benjamin Kaduk <kaduk@MIT.EDU> Thu, 06 March 2014 22:51 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EC441A011E for <kitten@ietfa.amsl.com>; Thu, 6 Mar 2014 14:51:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.148
X-Spam-Level:
X-Spam-Status: No, score=-3.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZ3U77o2M2uz for <kitten@ietfa.amsl.com>; Thu, 6 Mar 2014 14:51:20 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) by ietfa.amsl.com (Postfix) with ESMTP id 712651A00AF for <kitten@ietf.org>; Thu, 6 Mar 2014 14:51:20 -0800 (PST)
X-AuditID: 12074425-f79906d000000cf9-4c-5318fbe433ff
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id F4.1B.03321.4EBF8135; Thu, 6 Mar 2014 17:51:16 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s26MpEsb011924; Thu, 6 Mar 2014 17:51:15 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s26MpCUj005811 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 6 Mar 2014 17:51:14 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s26MpCcI009571; Thu, 6 Mar 2014 17:51:12 -0500 (EST)
Date: Thu, 06 Mar 2014 17:51:12 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Sam Hartman <hartmans-ietf@MIT.EDU>
In-Reply-To: <tslpplzvdb0.fsf@mit.edu>
Message-ID: <alpine.GSO.1.10.1403061729070.1213@multics.mit.edu>
References: <20130806223553.CD3401A8EC@ld9781.wdf.sap.corp> <29F4D66E-3E8F-4033-8779-8EA158C1B72A@padl.com> <alpine.GSO.1.10.1308062018070.24720@multics.mit.edu> <alpine.GSO.1.10.1309041148130.16692@multics.mit.edu> <alpine.GSO.1.10.1403041135510.1213@multics.mit.edu> <tslzjl4ohbn.fsf@mit.edu> <1394031556.4290.53.camel@destiny.pc.cs.cmu.edu> <5317BD6E.6080309@oracle.com> <alpine.GSO.1.10.1403051916110.1213@multics.mit.edu> <tslpplzvdb0.fsf@mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixCmqrfvkt0Swwd0HbBZf24DE0c2rWByY PJYs+cnksXLqafYApigum5TUnMyy1CJ9uwSujJuPrrMWTBWuWPR3E2sD4wT+LkZODgkBE4m3 LefZIWwxiQv31rN1MXJxCAnMZpK4N2E+C4SzgVHi2NanjBDOQSaJ3cfPs4G0CAnUSyzau4UR xGYR0JLo/fIIzGYTUJGY+WYjWI2IgLpE+4SvYDazgLDE+nMzmLsYOTiEBZwlNu6KAAlzCqhJ fNn0D6yVV8BBYsvW1ewQu44xSyxvm8kEkhAV0JFYvX8KC0SRoMTJmU9YIGZaSvxb+4t1AqPg LCSpWUhSCxiZVjHKpuRW6eYmZuYUpybrFicn5uWlFula6OVmluilppRuYgSFKruL6g7GCYeU DjEKcDAq8fB2LpIIFmJNLCuuzD3EKMnBpCTK++gnUIgvKT+lMiOxOCO+qDQntfgQowQHs5II r/93oBxvSmJlVWpRPkxKmoNFSZy37yxQSiA9sSQ1OzW1ILUIJivDwaEkwasOjEkhwaLU9NSK tMycEoQ0EwcnyHAeoOGxv0CGFxck5hZnpkPkTzEqSonz2oEkBEASGaV5cL2wVPKKURzoFWFe eZAVPMA0BNf9CmgwE9DgaD5xkMEliQgpqQZGf/0br9b4KcWefParQH3X15b33GZGVey2efYz 5UwZl6tkFDx0jk59wN7sxHdm2a/6LZrSAa3hl7bNPvV8yrSpsSZ+HQf3Tbl2+/d+Z1nFbouT fStY72Y8VJi/Snf2+ad6F9+6dT7KWz2vKejS/l1CifrWqyyTnl6/b7ZnftB65x1Prn+5vdv8 kRJLcUaioRZzUXEiAC7xZ6QAAwAA
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/ApRtzEcihmlK7di40gdC7ufVcps
Cc: kitten@ietf.org
Subject: Re: [kitten] Updating IANA krb5 GSSAPI token type registry
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 22:51:22 -0000

On Thu, 6 Mar 2014, Sam Hartman wrote:

> So, my understanding of the situation is that we have an implementation
> that has chosen to ship code prior to completion of a spec in two
> instances.
>
> 1) CFX.  In that instance, the spec evolved differently than anticipated
> and no longer standardizes the behavior MIT implements.

Greg pointed out that we have removed the code that generates the CFX 
deletion token from our development branch, though of course older 
releases still generate such tokens.

> 2) Iakerb.  There, we still expect that the spec will use the same value
> as MIT.
>
> In the CFX case, I don't actually see any significant harm that would
> result if we were to  assign the codepoint MIT uses to something else.
> It would be bad if we assigned that codepoint to some token other than a
> context deletion token intended to be passed into
> gss_process_context_token.
> However, there are no such tokens and there are no extensions under
> discussion that would create such tokens.

There actually is provision in RFC 2743 for tokens to be passed to 
gss_process_context_token which are not deletion tokens. (Last two 
paragraphs of 1.2.1.2.)  I do not remember any provisions in RFC 4121 to 
account for this case, though, so I guess it is under-specified.

> In general, when you ship a draft, you take on responsibility for
> dealing if the IETF process doesn't go the way you anticipate.  Doing
> that is part of doing business; it's definitely the case that there are
> times when you end up shipping based on drafts.

I don't disagree with anything you say there.

However, I think we should consider what the purpose of the central 
registry is: to document what values are in use and avoid conflicts. 
Given that there were already values in broad use when the registry was 
created, I think it is appropriate to document those values in the 
registry, even if it is just as "reserved to avoid conflicts", as Martin 
notes in the prior art.  There certainly does not seem to be a shortage 
of values in the token type space.

> IANA expert decisions can be appealed; you'd first file an appeal with
> me, and then I'm not sure whether it goes to the IESG as a whole or the
> security AD.

Is there a magic phrase that invokes such an appeal?  (Or does it go 
through IANA?)  I am unfamiliar with the process, and not necessarily 
indicating intent to do so.

-Ben

v2.23.0 | Report a Bug | By Email