Re: WGLC on draft-ietf-kitten-rfc2853bis-04
Wesley Leggette <wleggette@cleversafe.com> Fri, 25 July 2008 22:38 UTC
Return-Path: <kitten-bounces@ietf.org>
X-Original-To: kitten-archive@megatron.ietf.org
Delivered-To: ietfarch-kitten-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90A753A68AE; Fri, 25 Jul 2008 15:38:51 -0700 (PDT)
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 782E63A68AE for <kitten@core3.amsl.com>; Fri, 25 Jul 2008 15:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBlyenahTOI0 for <kitten@core3.amsl.com>; Fri, 25 Jul 2008 15:38:49 -0700 (PDT)
Received: from out001.atlarge.net (out001.atlarge.net [129.41.63.69]) by core3.amsl.com (Postfix) with ESMTP id 398A83A688A for <kitten@ietf.org>; Fri, 25 Jul 2008 15:38:48 -0700 (PDT)
Received: from csi-01-ex.atlarge.net ([10.100.50.47]) by out001.atlarge.net with Microsoft SMTPSVC(6.0.3790.1830); Fri, 25 Jul 2008 17:38:45 -0500
Received: from 10.100.70.6 ([10.100.70.6]) by csi-01-ex.atlarge.net ([10.100.50.47]) via Exchange Front-End Server owa.atlarge.net ([10.100.50.148]) with Microsoft Exchange Server HTTP-DAV ; Fri, 25 Jul 2008 22:38:45 +0000
User-Agent: Microsoft-Entourage/12.0.0.071130
Date: Fri, 25 Jul 2008 17:38:49 -0500
Subject: Re: WGLC on draft-ietf-kitten-rfc2853bis-04
From: Wesley Leggette <wleggette@cleversafe.com>
To: Mayank Upadhyay <mayank+ietf-kitten@google.com>
Message-ID: <C4AFC029.7B41%wleggette@cleversafe.com>
Thread-Topic: WGLC on draft-ietf-kitten-rfc2853bis-04
Thread-Index: AcjupzSh/7+m+GxukUGtxqblxNQLqA==
In-Reply-To: <6f7ed4930807251405q123e71fh2169502e135d22d2@mail.gmail.com>
Mime-version: 1.0
X-OriginalArrivalTime: 25 Jul 2008 22:38:45.0888 (UTC) FILETIME=[32C68800:01C8EEA7]
Cc: kitten@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: kitten-bounces@ietf.org
Errors-To: kitten-bounces@ietf.org
Mayank, Thanks for your reply. Will take this up with Sun. Wesley On 7/25/08 16:05, "Mayank Upadhyay" <mayank+ietf-kitten@google.com> wrote: > Wesley, > > It's not unusual for the base Java platform (J2SE) to have additional > requirements over what the JGSS API defines. Interaction with JAAS has > traditionally been one of those areas. > > JGSS is unique in the sense that the API was originally defined at the IETF, > but since it is included in J2SE, it also had to go though the Java > Community Process (JCP) to be adopted. The JCP experts group placed > additional requirements that had to do with JAAS interaction. These were > only specified in the javadocs for J2SE (e.g., > http://java.sun.com/javase/6/docs/api/org/ietf/jgss/package-summary.html#useSu > bjectCredsOnly), > and not in the JGSS RFC. > > It was also realized at the time, that we would need a way to convert back > from GSSCredential to a JAAS Subject. So Sun provided an API specific to > Sun's JRE to do this. Please see: > http://java.sun.com/javase/6/docs/jre/api/security/jgss/spec/com/sun/security/ > jgss/GSSUtil.html. > It wasn't pushed through as a standard J2SE API because we were unsure if it > would suffice. > > Perhaps the best thing to do would be to take the issue up with Sun and ask > if the com.sun.jgss.GSSUtil API could be moved into J2SE as part of a > standard auth package like javax.security.auth? There are already other > classes in this and its sub-packages related to this space. > > -Mayank > > 2008/7/22 kitten-request <kitten-request@ietf.org>: > > Today's Topics: > > 1. Re: WGLC on draft-ietf-kitten-rfc2853bis- >> >> 04 (Wesley Leggette) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Mon, 21 Jul 2008 22:22:17 -0500 >> From: Wesley Leggette <wleggette@cleversafe.com> >> Subject: Re: WGLC on draft-ietf-kitten-rfc2853bis-04 >> To: <kitten@ietf.org> >> Message-ID: >> <C4AABC99.79C7%wleggette@cleversafe.com<C4AABC99.79C7%25wleggette@cleversafe. >> com> >>> >> Content-Type: text/plain; charset="US-ASCII" >> >> By way of introduction, I am a senior software developer at Cleversafe, >> Inc. >> We are developing a "dispersed" storage technology called "dsNet" and have >> been using GSS-API within our new security framework. Our code is written >> in >> Java and the aspects of GSS-API we are especially interested in is the >> authentication negotiation with SPNEGO and credential delegation features. >> >> We anticipate migrating to Kerberos and SPKM authentication but realize >> that >> our users will require support for password-based authentication as well >> and >> to that end have implemented a password-based authentication mechanism >> based >> heavily on SSHv2. >> >> Working with GSS-API on an alternate mechanism (especially one that >> requires >> multiple exchanges) has uncovered a few bugs in the Java GSS-API and SPNEGO >> implementations, which is somewhat interesting. (We plan on taking this up >> with Sun directly. I just mentioned it here for color.) >> >> But to the point, because we have decided to integrate heavily with the >> Java >> Authentication and Authorization Service we've found that the major >> shortcoming of the GSS-API Java bindings is the lack of a mechanism >> independent way of obtaining java Subject objects for both the local and >> delegated credentials of a GSSContext. >> >> I can anticipate that Java-specific (especially JAAS-specific) objects were >> purposefully omitted from the Java bindings. Was this the case and if so >> what was the rationale? If this was not purposefully omitted I would >> request >> that this be considered for this draft. >> >> Wesley Leggette >> Senior Software Developer >> Cleversafe, Inc. >> http://www.cleversafe.com >> >> >> >> >> ------------------------------ >> >> _______________________________________________ >> Kitten mailing list >> Kitten@ietf.org >> https://www.ietf.org/mailman/listinfo/kitten >> >> >> End of Kitten Digest, Vol 46, Issue 2 >> ************************************* _______________________________________________ Kitten mailing list Kitten@ietf.org https://www.ietf.org/mailman/listinfo/kitten
- WGLC on draft-ietf-kitten-rfc2853bis-04 Shawn M Emery
- Re: WGLC on draft-ietf-kitten-rfc2853bis-04 Wesley Leggette
- Re: WGLC on draft-ietf-kitten-rfc2853bis-04 Mayank Upadhyay
- Re: WGLC on draft-ietf-kitten-rfc2853bis-04 Wesley Leggette