Re: [kitten] I-D Action: draft-ietf-kitten-gss-loop-00.txt
Benjamin Kaduk <kaduk@MIT.EDU> Fri, 23 May 2014 20:30 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7E31A0043 for <kitten@ietfa.amsl.com>; Fri, 23 May 2014 13:30:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.252
X-Spam-Level:
X-Spam-Status: No, score=-3.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhvSOjGazOXm for <kitten@ietfa.amsl.com>; Fri, 23 May 2014 13:30:47 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EC0E1A0031 for <kitten@ietf.org>; Fri, 23 May 2014 13:30:46 -0700 (PDT)
X-AuditID: 1209190f-f790b6d000000c38-7a-537faff4b548
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 79.46.03128.4FFAF735; Fri, 23 May 2014 16:30:44 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s4NKUh8A013157 for <kitten@ietf.org>; Fri, 23 May 2014 16:30:44 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s4NKUfjj009093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <kitten@ietf.org>; Fri, 23 May 2014 16:30:43 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s4NKUfZs021805; Fri, 23 May 2014 16:30:41 -0400 (EDT)
Date: Fri, 23 May 2014 16:30:41 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: kitten@ietf.org
In-Reply-To: <20140511052746.8581.65129.idtracker@ietfa.amsl.com>
Message-ID: <alpine.GSO.1.10.1405231624260.25244@multics.mit.edu>
References: <20140511052746.8581.65129.idtracker@ietfa.amsl.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKIsWRmVeSWpSXmKPExsUixCmqrPtlfX2wwe8PfBZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxqGtxQUv+Cq+7Gtka2C8xN3FyMkhIWAi8X37D0YIW0ziwr31 bF2MXBxCArOZJE7MPMIE4RxnlLg34R+Uc4NJ4uaGVhaQFiGBBkaJX29EQWwWAW2Jlk1LwUax CahIzHyzkQ3EFhEQlti99R0ziC0s4Cyx8EgPE4jNKeAo0di1CCjOwcELZM/elg4x0kFi/vEt YONFBXQkVu+fAmbzCghKnJz5BMxmFrCUOPfnOtsERoFZSFKzkKQWMDKtYpRNya3SzU3MzClO TdYtTk7My0st0jXRy80s0UtNKd3ECA49Sf4djN8OKh1iFOBgVOLh/dFXHyzEmlhWXJl7iFGS g0lJlPfwWqAQX1J+SmVGYnFGfFFpTmrxIUYJDmYlEV7exUA53pTEyqrUonyYlDQHi5I471tr q2AhgfTEktTs1NSC1CKYrAwHh5IEb+M6oEbBotT01Iq0zJwShDQTByfIcB6g4XUgNbzFBYm5 xZnpEPlTjIpS4rzLQC4SAElklObB9cJSwytGcaBXhHmTQNp5gGkFrvsV0GAmoMEvFtaCDC5J REhJNTCKiR3efM2tnNnJN/Z/8BVt0Q2arzY822hwv9Xv8e+9z4QzJR8f+/WH4XnTvwV6Mx6+ VzTd8LnGYvb0Kq7WOxL7z75LslFKVvVkn3/2hZ3v+lfyKq4/n302lbhT1N8+41raF9baM6zN 5scWMevGqC8Qr3/IIbd19ibJeUHs8/8v/nv98sW5/cfvKbEUZyQaajEXFScCAPMvL3PoAgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/d3LfsBg9itiai36_-L0jv65a-TQ
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-gss-loop-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2014 20:30:48 -0000
On Sun, 11 May 2014, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Common Authentication Technology Next Generation Working Group of the IETF. > > Title : Structure of the GSS Negotiation Loop > Author : Benjamin Kaduk > Filename : draft-ietf-kitten-gss-loop-00.txt > Pages : 17 > Date : 2014-05-08 > > Abstract: > This document specifies the generic structure of the negotiation loop > to establish a GSS security context between initiator and acceptor. > The control flow of the loop is indicated for both parties, including > error conditions, and indications are given for where application- > specific behavior must be specified. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-kitten-gss-loop/ > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-kitten-gss-loop-00 The only changes of note are in the C sample code. The controversial comment about "safe to call gss_release_buffer twice on the same buffer" is removed, and the behavior changed slightly. Inside the loop, the buffer is always released, which is safe. Since gss_release_buffer is required to zero the length field, that is what is checked in the outer cleanup label to avoid calling gss_release_buffer twice. I also made some style tweaks, inspired by Greg's comments, and changed the name of the "context_established" variable to reflect which side of the exchange was established. I did not take Nico's suggestion of adding in a check in the acceptor for whether the authenticated initiator name was authorized, as that would be a fair amount of extra code and probably be mission creep. -Ben
- [kitten] I-D Action: draft-ietf-kitten-gss-loop-0… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-gss-lo… Benjamin Kaduk