IETF Logo Mail Archive

Re: [kitten] Updating IANA krb5 GSSAPI token type registry

mrex@sap.com (Martin Rex) Wed, 07 August 2013 18:54 UTC

Return-Path: <mrex@sap.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B918221F9D4F for <kitten@ietfa.amsl.com>; Wed, 7 Aug 2013 11:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8N+vK5YhoWAe for <kitten@ietfa.amsl.com>; Wed, 7 Aug 2013 11:54:02 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id CFD8521E8088 for <kitten@ietf.org>; Wed, 7 Aug 2013 11:54:00 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r77Irwq3016470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 7 Aug 2013 20:53:58 +0200 (MEST)
In-Reply-To: <alpine.GSO.1.10.1308062018070.24720@multics.mit.edu>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Date: Wed, 07 Aug 2013 20:53:58 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130807185358.263CC1A8EE@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: kitten@ietf.org
Subject: Re: [kitten] Updating IANA krb5 GSSAPI token type registry
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 18:54:07 -0000

Benjamin Kaduk wrote:
> Martin, Luke, thanks for looking these up, it saved a bunch of time.
> 
> I see that draft-ietf-krb-wg-gssapi-cfx-02 (which became RFC4121) had 0405 
> for the context deletion token, but this was removed in the -03 in favor 
> of not emitting such tokens.

I just found another one:

  http://tools.ietf.org/html/rfc2743#page-84

  04 01   exported name (token) created by gss_export_name()


In case that anyone is wondering what "per-message token without
generic framing" means:

GSS-API defines a mechanism-independent Token Format in
rfc-2743, section 3.1
   http://tools.ietf.org/html/rfc2743#page-81

(originally in GSS-API v1, rfc-1508, Appendix B)
   http://tools.ietf.org/html/rfc1508#page-48

which must be used for the _initial_context_token_,
This "generic framing" is originally defined as ASN.1, but
the description in rfc2743, section 3.1 also describes that
framing as bits-on-the-wire, so that it can be implemented
without ASN.1 tools.

There is _no_ requirement in the base gssapi specification
for mechanisms what framing or format to use for others but the
initia context token (i.e. the 1st token from Initiator to Acceptor)
or for per-message tokens.

The Kerberos gssapi mechanism (rfc1964) decided to use the generic
framing for _all_ context tokens, and in addition, for _all_ per message
tokens as well.

The update of the Kerberos gssapi mechanism (rfc4121) dropped the
generic framing on the per-message tokens, making the TOKEN_ID the
fist two octets to appear in rfc4121 per-message tokens.

-Martin

v2.23.0 | Report a Bug | By Email