Re: [kitten] Opsdir last call review of draft-ietf-kitten-rfc5653bis-05
Joe Clarke <jclarke@cisco.com> Wed, 06 September 2017 13:01 UTC
Return-Path: <jclarke@cisco.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 985B1132F05; Wed, 6 Sep 2017 06:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SodsuDdSYCe9; Wed, 6 Sep 2017 06:00:58 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 470BC132F09; Wed, 6 Sep 2017 06:00:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3798; q=dns/txt; s=iport; t=1504702857; x=1505912457; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=Bj+fK4swfqrQFwg9M9e/p/xWr7sQc6GvpZhkEDn4QBo=; b=M0pHwYmy7mv+Ytu8HlY+/WSiBCFkHsCEGZCvY7C7RSXrZpZuWSNNHphH tC9HtqUNMexAqpStkxOVsNE3ZlANCbfIsPpsCt2Ww3OQsxt7x4NQons0L dFA5CHscvilFe7efFZ18eQB+oOGW3iBukG/kb5G5H/EHL1+qoztAlojCV s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AJAgA68a9Z/4gNJK1eGQEBAQEBAQEBAQEBBwEBAQEBg1pkgRWDd5pCgXGYOgoYC4RMTwKEPEMUAQIBAQEBAQEBayiFGAEBAQECAQEBIUsLEAsYAgImAgInMAYNBgIBAYolCBCufYInizkBAQEBAQEBAQEBAQEBAQEBAQEBGgWBDYIdggKBToFjK4J9iAiCYQWgdJRRghOJQYcdiXyLL4E5NiGBDVMkFUmFGByCAyQ2iiUBAQE
X-IronPort-AV: E=Sophos;i="5.41,484,1498521600"; d="scan'208";a="453593731"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 06 Sep 2017 13:00:56 +0000
Received: from [10.118.87.94] (rtp-jclarke-nitro13.cisco.com [10.118.87.94]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id v86D0t72002235; Wed, 6 Sep 2017 13:00:55 GMT
To: Weijun Wang <weijun.wang@oracle.com>
Cc: ops-dir@ietf.org, kitten@ietf.org, ietf@ietf.org, draft-ietf-kitten-rfc5653bis.all@ietf.org
References: <150463800843.29826.6748894127604407016@ietfa.amsl.com> <2D53D28B-DCAD-485C-A8E5-182EA9C13F16@oracle.com>
From: Joe Clarke <jclarke@cisco.com>
Organization: Cisco
Message-ID: <54e49125-b10e-b756-19fe-57b78594efe0@cisco.com>
Date: Wed, 06 Sep 2017 09:00:55 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <2D53D28B-DCAD-485C-A8E5-182EA9C13F16@oracle.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/dkqv-3SfwJSNZN4JXiFmkizImzQ>
Subject: Re: [kitten] Opsdir last call review of draft-ietf-kitten-rfc5653bis-05
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2017 13:01:01 -0000
On 9/6/17 01:42, Weijun Wang wrote: > Hi Joe > > When I said it's a compatible change, I meant the behavior is compatible, so either initSecContext or acceptSecContext still throws an exception instead of returning KRB-ERROR in a byte array. I know "compatibility" has lots of different meanings. > > If this method is called directly (not via refection) it will only compile with a new JDK. The program will not run with an old JDK because in Java the class file contains a magic number that increases with each version. This happens before you can see a NoSuchMethodError. Yes, compile-time will stop you. But if you distribute an app with someone else's jar... (I know you know this :-) ). > > If a developer wants an application or library runnable with an old JDK release but also like to benefit from the new method when running with a new release, some kind of reflection (GSSException.class.getMethod) is needed. In this case the developer will certainly be aware that this method might not exist and deal with it carefully. > > I feel hesitated to add reflection calls to all examples since that will look quite a mess. How about changing the last paragraph of Section 11 1) to something like: > > New JGSS programs should make use of this new method but it is not mandatory. > A program that intends to run with both old and new Java releases can use > reflection to check the availability of this new method and call it accordingly. I'm good with this. A slight change, though: "A program that intends to run with both old and new GSS Java bindings can use reflection to check the availability of this new method and call it accordingly." You're right that adding reflection to the example would just muddle it. In a perfect world, you'd have the latest jar with the an app written for it. So the example is good. But my experience with Java is that you may not get the jar you expect, and changes like this that are said to be "compatible" can often bite you. Joe > > Thanks > Max > > >> >> On Sep 6, 2017, at 3:00 AM, Joe Clarke <jclarke@cisco.com> wrote: >> >> Reviewer: Joe Clarke >> Review result: Ready >> >> I have been asked to do an LC review of draft-ietf-kitten-rfc5653bis on behalf >> of the ops directorate (OPS-DIR). >> >> This draft is an update to the Java bindings for the Generic Security Service >> API Version 2. >> >> Overall, this document is READY. It clearly articulates the reason for the >> modifications in the Appendix, and the changes feel straight-forward and make >> sense in light of the C API capabilities. >> >> My one concern is the compatibility of this change relative to the previous >> RFC5653 bindings. That is, the previous GSSException does not have a >> getOutputToken method. The sample application in the draft (section 7) calls >> this new method (and I like the same covers the relevant change in this doc). >> But what happens if my Java library is the older 5653 version? A >> NoSuchMethodError will be thrown, which is not ideal. >> >> If there is a set of static properties one can check to see if they have the >> supported version of the library (and thus the GSSException.getOutputToken() >> method exists), then the example should use those, and that process should be >> called out in the text. In lieu of that, introspection could be used to >> determine if the new method exists in the current library before it is used. >> >> This is immediately a concern with any API change, but since the appendix >> mentions this is a compatible change, I wanted to raise the point. >> >> _______________________________________________ >> Kitten mailing list >> Kitten@ietf.org >> https://www.ietf.org/mailman/listinfo/kitten >
- [kitten] Opsdir last call review of draft-ietf-ki… Joe Clarke
- Re: [kitten] Opsdir last call review of draft-iet… Weijun Wang
- Re: [kitten] Opsdir last call review of draft-iet… Joe Clarke
- Re: [kitten] Opsdir last call review of draft-iet… Weijun Wang
- Re: [kitten] Opsdir last call review of draft-iet… Joe Clarke