IETF Logo Mail Archive

Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04

Weijun Wang <weijun.wang@oracle.com> Fri, 04 August 2017 10:15 UTC

Return-Path: <weijun.wang@oracle.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4949B131FC7 for <kitten@ietfa.amsl.com>; Fri, 4 Aug 2017 03:15:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oPRziieIHwMC for <kitten@ietfa.amsl.com>; Fri, 4 Aug 2017 03:15:38 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9E4131CE8 for <kitten@ietf.org>; Fri, 4 Aug 2017 03:15:38 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v74AFbXM021195 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Aug 2017 10:15:37 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v74AFbF2012573 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Aug 2017 10:15:37 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v74AFalg017472; Fri, 4 Aug 2017 10:15:37 GMT
Received: from dhcp-tokyo-twvpn-1a-vpnpool-10-191-2-46.vpn.oracle.com (/10.191.2.46) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 04 Aug 2017 03:15:36 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Weijun Wang <weijun.wang@oracle.com>
In-Reply-To: <20170804004033.GB70977@kduck.kaduk.org>
Date: Fri, 04 Aug 2017 18:15:33 +0800
Cc: Eric Rescorla <ekr@rtfm.com>, kitten <kitten@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <599ED5F5-E418-4F92-A9F4-E3AFE7B67718@oracle.com>
References: <CABcZeBPG-xqYj+FrPfJofvpLP-UD2PA52NrgxR_Y4nzwY4S8Uw@mail.gmail.com> <DC114106-3DAA-4CFC-B83D-EA277036AEAE@oracle.com> <CABcZeBP6+dtxoR9eib2Ymhv7fBORMnw4M+NSKN-7WG3AowVG0Q@mail.gmail.com> <20170718002217.GL75962@kduck.kaduk.org> <CABcZeBNWQBjx5Bx-XmVfxxtsiZnUayT18EUkSxDh56i_A=vaYw@mail.gmail.com> <84A3DE01-19D1-49A0-BA08-C71FB96C20AB@oracle.com> <20170804004033.GB70977@kduck.kaduk.org>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3273)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/dvAqF-X8cl1D_tpDFKczUjmd0po>
Subject: Re: [kitten] AD Review: draft-ietf-kitten-rfc5653bis-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 10:15:40 -0000

> On Aug 4, 2017, at 8:40 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
>> 4. And a clarification text "When neither of the methods is called, the implementation should choose a default provider for each mechanism it supports" to the introduction of addProviderAtFront() and addProviderAtEnd(), at the end of S 6.1.
> 
> I'm not entirely sure that this addresses Ekr's concern.  Laying it out (hopefully)
> more clearly, suppose that I have a java standard library that provides GSSAPI
> support, and supports the krb5 and ntlm mechanisms.  It's clear that my
> application code could supply an alternate provider for the krb5 mech and
> have that used preferentially.  But could my application code also supply
> a provider for, say, the IAKERB mech via addProviderAtFront, and have that used?

I think this is already covered in https://tools.ietf.org/html/draft-ietf-kitten-rfc5653bis-04#page-34:

> 3) The application wants to use the locally configured providers as
>       far as possible, but if support is missing for one or more
>       mechanisms, then it wants to fall back on its own provider.

Here, support for the IAKERB mech "is missing", and user provides "its own provider". Of course in this case, calling addProviderAtFront or addProviderAtEnd makes no difference.

Thanks
Max

v2.23.0 | Report a Bug | By Email