Re: Working Group Last Call: Stackable Generic Security Service
Martin Rex <martin.rex@sap.com> Tue, 07 November 2006 19:30 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GhWeM-0003v9-MB; Tue, 07 Nov 2006 14:30:22 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GhWeL-0003uw-U5 for kitten@ietf.org; Tue, 07 Nov 2006 14:30:22 -0500
Received: from smtpde03.sap-ag.de ([155.56.68.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GhWeJ-00028Y-GV for kitten@ietf.org; Tue, 07 Nov 2006 14:30:21 -0500
Received: from sap-ag.de (smtpde03) by smtpde03.sap-ag.de (out) with ESMTP id UAA25784 for <kitten@ietf.org>; Tue, 7 Nov 2006 20:30:17 +0100 (MEZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200611071930.UAA16317@uw1048.wdf.sap.corp>
Orig-To: jaltman@secure-endpoints.com
To: kitten@ietf.org
Date: Fri, 03 Nov 2006 17:48:40 +0100
In-Reply-To: <45367FF9.4090306@secure-endpoints.com> from "Jeffrey Altman" at Oct 18, 6 03:26:49 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-Spam-Score: 1.1 (+)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
Cc: Nicolas.Williams@sun.com
Subject: Re: Working Group Last Call: Stackable Generic Security Service
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Errors-To: kitten-bounces@lists.ietf.org
Jeffrey, Nico, Jeffrey Altman wrote: > > The Kitten Chair has received a request to submit > "Stackable Generic Security Service Pseudo-Mechanisms" > <http://www.ietf.org/internet-drafts/draft-ietf-kitten-stackable-pseudo-mechs-02.txt> > to the IESG for publication as a Proposed Standard. > > The working group last call will terminate at 00:00 EST 2 November 2006. I'm sorry, It looks like I missed the last call period. So I'm sending this to you directly. Stackable pseudo-mechanisms looks very ambitious to me -- a magnitude more ambitious than binary plug'n'play with shared libraries. I can not seriously comment on the document, because I lack the time to read it carefully and think about it, and I don't have any implementation or usage experience with this concept. Two observations: - A lot of existing gss-api mechanism do not return a mechanism OID from failing (initial) gss_init_sec_context() and gss_accept_sec_context() while at the same time they return a mechanism-specific minor_status. This may create a difficulty for gss_display_status(minor_status) to identify the particular gssapi mechanims that created this minor status. - The reason for CAT to drop gss_release_oid() and friends from the v2 spec was the incompatibilities between different heap (m)allocators, and the resulting problem for gss_release_oid() to distinguish (originally purely-static) OIDs from dynamic ones created by the gssapi mechanism. On Windows and OS/2, each DLL may use its own/seperate instance of a heap (m)allocater, and considering the explosion of incompaible MSVCRT.DLLs (VS.NET 2003/2005) using the WinSxS scheme, this is actually the norm today for software that meets in the field (and is not produced in a single compile). So it would be useful to re-iterate in the description of gss_release_oid() that all OIDs from the exiting gss-api v2 functions are static/readonly and must NOT be passed to this new optional function. The current wording "by another GSS-API call, specifically ..." sounds ambiguous in a dangerous fashion. I'm not sure who might be the real target audience for the stackable GSS Mech spec. IMHO, it's not the portable applications writer that call gss-api v2. How would a portable application writer benefit from CCM? Would it require a gss-api (multi-)mechanism that used these extensions to provide the benefit in a gss-api v2 transparent fashion? -Martin _______________________________________________ Kitten mailing list Kitten@lists.ietf.org https://www1.ietf.org/mailman/listinfo/kitten
- Re: Working Group Last Call: Stackable Generic Se… Jeffrey Altman
- Re: Working Group Last Call: Stackable Generic Se… Martin Rex