Re: [kitten] Proposed changes to http://tools.ietf.org/html/draft-ietf-kitten-gssapi-naming-exts-13
Leif Johansson <leifj@mnt.se> Mon, 26 March 2012 07:41 UTC
Return-Path: <leifj@mnt.se>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E2CB21F8528 for <kitten@ietfa.amsl.com>; Mon, 26 Mar 2012 00:41:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eytpwVFrSKRs for <kitten@ietfa.amsl.com>; Mon, 26 Mar 2012 00:41:33 -0700 (PDT)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id DA1A221F8535 for <kitten@ietf.org>; Mon, 26 Mar 2012 00:41:28 -0700 (PDT)
Received: from [130.129.8.54] (dhcp-9036.meeting.ietf.org [130.129.8.54]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q2Q7fNvM027691 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <kitten@ietf.org>; Mon, 26 Mar 2012 09:41:27 +0200 (CEST)
Message-ID: <4F701DA3.1040305@mnt.se>
Date: Mon, 26 Mar 2012 09:41:23 +0200
From: Leif Johansson <leifj@mnt.se>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120310 Thunderbird/11.0
MIME-Version: 1.0
To: kitten@ietf.org
References: <CAK3OfOiROeUcGOCiELkQb1ziY6Vr7Ut8aKMPzbh-oSyF8tUYvQ@mail.gmail.com> <4F646900.60408@isode.com>
In-Reply-To: <4F646900.60408@isode.com>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [kitten] Proposed changes to http://tools.ietf.org/html/draft-ietf-kitten-gssapi-naming-exts-13
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2012 07:41:34 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/17/2012 11:35 AM, Alexey Melnikov wrote: > On 16/03/2012 22:04, Nico Williams wrote: >> Sorry for proposing last minute changes. >> >> I have three changes to propose, of which only one is >> substantive: >> >> - clarify section 6 to indicate that "primary attribute >> component" and "prefix" are the same thing >> >> - re-write the second to last paragraph of section 6 >> >> - reserve a subset of the "local" attribute namespace >> >> ("local" attributes are ones with neither colons nor spaces) >> >> This is the substantive change. Sam and I believe that it will >> eventually be desirable to have simple attribute names that are >> not URNs -- developers and users/sysadmins (to the extent that >> attribute names leak into user/admin interfaces) will want >> non-URN, user-friendly, portable and generic attribute names. >> >> Sam proposes to reserve local attribute names that have an >> at-sign. >> >> This change requires confirmation on the list, thus this post. >> >> The proposed changes are as follows. >> >> 1) Clarification of "prefix": >> >> If an attribute name contains a space (ASCII 0x20), the first >> space separates the most significant or primary component of the >> name from - the remainder. If there is no space, the primary >> component is the - entire name, otherwise it defines the >> interpretation of the remainder - of the name.s + the >> remainder. We may refer to the primary component of the + >> attribute name as the attribute name's "prefix". If there is no >> + space, the primary component is the entire name, otherwise it >> defines + the interpretation of the remainder of the name.s >> >> 2) Re-write of second to last paragraph of section 6: >> >> - A sufficient prefix of attribute names needs to be dictated >> by a - mechanism in order to describe the context. For example >> it would be - problematic to represent SAML attribute names as >> the name format URI, - a space, and the remainder of the name. >> A carefully crafted SAML - assertion could appear to be a name >> from another mechanism or - context. Typically a SAML >> attribute name would include a prefix - describing the trust >> model and other context of the attribute name. + Since >> attribute names are split at the first space into prefix and + >> suffix, there is a potential for ambiguity if a mechanism >> blindly + passes through a name attribute whose name it does >> not understand. + In order to prevent such ambiguities the >> mechanism MUST always prefix + raw name attributes with a >> prefix that reflects the context of the + attribute. >> >> >> 3) Reserving local attribute names with at-signs in them: >> >> If the primary component contains an ASCII : (0x3a), then the >> primary component is a URI. Otherwise, the attribute is a local >> attribute and the primary component has meaning to the >> implementation of GSS- - API or to the specific configuration >> of the application. At this - time, local attribute names are >> not standardized; there is debate - about whether such >> standardization will be useful. Any future - standardizations >> will need to balance potential problems resulting - from >> attribute names used before standardization. + API or to the >> specific configuration of the application. Local + attribute >> names with an at-sign ('@') in them are reserved for future + >> allocation by the IETF. >> >> Comments? > I like these changes. > Anyone else have an opinion. This is the only thing holding this document up and I'd like to push a final version for IETF LC this week. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wHaMACgkQ8Jx8FtbMZndLKwCfRl2NWcP+Gkih5sIx1+8OykqI +ZgAnip2ksJjeGNNlyXS7DyRDn2dPBzA =Hx5m -----END PGP SIGNATURE-----
- [kitten] Proposed changes to http://tools.ietf.or… Nico Williams
- Re: [kitten] Proposed changes to http://tools.iet… Leif Johansson
- Re: [kitten] Proposed changes to http://tools.iet… Alexey Melnikov
- Re: [kitten] Proposed changes to http://tools.iet… Leif Johansson