Re: [kitten] RFC2743 errata 4251

Greg Hudson <ghudson@mit.edu> Mon, 15 December 2014 17:20 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E48E51A8706 for <kitten@ietfa.amsl.com>; Mon, 15 Dec 2014 09:20:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7vVObKs3EnU for <kitten@ietfa.amsl.com>; Mon, 15 Dec 2014 09:20:39 -0800 (PST)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E9B01A8704 for <kitten@ietf.org>; Mon, 15 Dec 2014 09:20:39 -0800 (PST)
X-AuditID: 12074424-f791c6d000000d25-f2-548f18660eb4
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 9C.F9.03365.6681F845; Mon, 15 Dec 2014 12:20:38 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id sBFHKWPg031387; Mon, 15 Dec 2014 12:20:32 -0500
Received: from [18.101.8.106] (vpn-18-101-8-106.mit.edu [18.101.8.106]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sBFHKU6T028709 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 15 Dec 2014 12:20:31 -0500
Message-ID: <548F185E.70701@mit.edu>
Date: Mon, 15 Dec 2014 12:20:30 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@mit.edu>, Nico Williams <nico@cryptonector.com>
References: <20141104204714.GI7913@localhost> <20141108014820.3278A1AFAB@ld9781.wdf.sap.corp> <20141110162504.GA3412@localhost> <alpine.GSO.1.10.1411241330400.19231@multics.mit.edu> <20141124185114.GM3200@localhost> <alpine.GSO.1.10.1412091618550.23489@multics.mit.edu> <20141209215519.GI12979@localhost> <alpine.GSO.1.10.1412091856160.23489@multics.mit.edu> <20141210002441.GP12979@localhost> <alpine.GSO.1.10.1412101349030.23489@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1412101349030.23489@multics.mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphleLIzCtJLcpLzFFi42IR4hTV1k2T6A8x6DwqZnF08yoWi1PXjrA5 MHm8PHWO0WPJkp9MAUxRXDYpqTmZZalF+nYJXBk/9j5mLjjDVnHk9QGWBsbVrF2MnBwSAiYS 1ycsYoKwxSQu3FvP1sXIxSEksJhJ4sXzHlYIZyOjxNkZ15ggnCNMEncPPGIHaeEVUJHYfeMj G4jNIqAqcfvYHbCxbALKEuv3b2XpYuTgEBUIk5i6lAeiXFDi5MwnYGERAU+JD9ONQMLMAsIS F7bvBesUFtCU2Pn1FtTe/cwSGzb9ZARJcAo4SfQ8+sII0aAnseP6L1YIW15i+9s5zBMYBWch WTELSdksJGULGJlXMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zrr5WaW6KWmlG5iBAUwu4vKDsbm Q0qHGAU4GJV4eCMY+0KEWBPLiitzDzFKcjApifIy8/eHCPEl5adUZiQWZ8QXleakFh9ilOBg VhLhnfUOqJw3JbGyKrUoHyYlzcGiJM676QdfiJBAemJJanZqakFqEUxWhoNDSYK3RRxoqGBR anpqRVpmTglCmomDE2Q4D9DwfSA1vMUFibnFmekQ+VOMuhwL2vfPZBJiycvPS5US550DUiQA UpRRmgc3B5Z4XjGKA70lzHsWpIoHmLTgJr0CWsIEtOQyYw/IkpJEhJRUA+OsVd38c3zadrcI THDruNpxeZXVzynTb6pv+sHW9oyH02N/4IvyOIebRxQ7L0ysvvMss8X/jE6rm6+zumxY5cyV M6NtWpmW3t+6qDbt5EMrps5DWg1sveyvQqY1PV2+2zbrjraR9Mway3NCt/8t6o8vCpFS/Rm3 1yp95q9JPU+nbphutuCQt40SS3FGoqEWc1FxIgD3arjKFwMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/Fnd2pxGlWTtrqi_QvUh3eMl8ooI
Cc: kitten@ietf.org
Subject: Re: [kitten] RFC2743 errata 4251
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Dec 2014 17:20:41 -0000

On 12/10/2014 01:57 PM, Benjamin Kaduk wrote:
>      Though future GSS-API extensions may add new uses of asynchronous
>      security context tokens and ways to process them, applications
>      using the GSS-API version 2, update 1, should generally call
>      GSS_Delete_sec_context() after calling GSS_Process_context_token(),
>      when the latter returns GSS_S_COMPLETE or GSS_S_FAILURE.

I don't like the wording of this part.  Encouraging applications to
assume that context tokens destroy the context essentially closes the
door to specifying context tokens which don't.

(To be clear: saying that applications must eventually call
GSS_Delete_sec_context() is fine; saying that they should do so
immediately after a GSS_S_COMPLETE from GSS_Process_context_token() is
not fine.)

Otherwise the new text looks good.