Re: Comments on draft-ietf-kitten-extended-mech-inquiry-03.txt
Nicolas Williams <Nicolas.Williams@sun.com> Fri, 21 March 2008 21:21 UTC
Return-Path: <kitten-bounces@ietf.org>
X-Original-To: ietfarch-kitten-archive@core3.amsl.com
Delivered-To: ietfarch-kitten-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24E3328C234; Fri, 21 Mar 2008 14:21:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.429
X-Spam-Level:
X-Spam-Status: No, score=-101.429 tagged_above=-999 required=5 tests=[AWL=-0.992, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZJ7iwBFU0Ar; Fri, 21 Mar 2008 14:21:28 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CE8328C14A; Fri, 21 Mar 2008 14:21:28 -0700 (PDT)
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B33D28C14A for <kitten@core3.amsl.com>; Fri, 21 Mar 2008 14:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQHuOX8+VBfF for <kitten@core3.amsl.com>; Fri, 21 Mar 2008 14:21:25 -0700 (PDT)
Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) by core3.amsl.com (Postfix) with ESMTP id 93C723A6BD5 for <kitten@ietf.org>; Fri, 21 Mar 2008 14:21:20 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m2LLJ2tW003333 for <kitten@ietf.org>; Fri, 21 Mar 2008 21:19:02 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m2LLJ2dU008252 for <kitten@ietf.org>; Fri, 21 Mar 2008 15:19:02 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m2LLJ2cJ022427; Fri, 21 Mar 2008 16:19:02 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m2LLJ2T5022426; Fri, 21 Mar 2008 16:19:02 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Fri, 21 Mar 2008 16:19:02 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Subject: Re: Comments on draft-ietf-kitten-extended-mech-inquiry-03.txt
Message-ID: <20080321211902.GY16998@Sun.COM>
Mail-Followup-To: Alexey Melnikov <alexey.melnikov@isode.com>, kitten@ietf.org
References: <47D5720F.8070805@isode.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <47D5720F.8070805@isode.com>
User-Agent: Mutt/1.5.7i
Cc: kitten@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: kitten-bounces@ietf.org
Errors-To: kitten-bounces@ietf.org
On Mon, Mar 10, 2008 at 05:38:23PM +0000, Alexey Melnikov wrote: > I think this document updates RFC 2743 (i.e. it defines a new error > code, new functions and section 4 puts additional requirements on new > GSS-API mechanisms). This should be specified in the header of the document. I'm not sure that defining new functions qualifies as updating RFC2743. Adding new status codes does, at least until the advent of the IANA registry for GSS namespaces (that I-D will definitly update RFC2743 and RFC2744, and maybe the Java bindings as well). > Section 3.1 references pseudo-mechanisms for the first time. There is no > reference to the document which describes what they are. I'll add one. > ><TBD> [1.3.6.1.5.5.12 appears to be available] > > Who controls the parent OID? http://www.iana.org/assignments/smi-numbers And it's taken, actually. I'll update the text to mention that IANA is responsible for this allocation, and that ..._13_ appears to be available. > > | GSS_C_MA_AUTH_INIT_INIT | Indicates support for "initial" | > > What is "initial authentication"? I'll add text. This is intended for LIPKEY, but this is potentially controversial in that it's hard define. Password-based mechanisms (e.g., SCRAM) would have this attribute. One could argue that PKU2U would have it too when the initiator's private key lives in a smartcard, but is there anything in the certificate that allows the acceptor to verify that the key was generated in an approved token? And even if there was, what about using a remote soft token (think SACRED)? How can the acceptor know that's not what's happening? It might be easier to rename this to GSS_C_MA_INIT_PASSWORD and leave the other issues to other mechanisms. Thoughts? > > | | authentication of initiator to | > > | | acceptor. | > > In section 3.3: > > > The attributes of mechanisms negotiated by SPNEGO are not modified by > > the use of SPNEGO. > > I am not sure on what you mean here. Are you saying that attributes of > the underlying mechanisms negotiated by SPNEGO must also be returned as > the SPNEGO attributes? SPNEGO is supposed to output the OID of the mechanism that was negotiated. I'll remove this text -- it's completely redundant. > >3.4.2. GSS_Inquire_attrs_for_mech() > > [...] > > > GSS_Inquire_mech_attrs_for_mech() indicates the set of mechanism > > The section title doesn't match the function name. Please fix. Right, thanks. > In section 3.4.5: > > > OM_uint32 gss_inquire_mechs_for_mech_attrs( > > OM_uint32 *minor_status, > > const gss_OID_set desired_mech_attrs, > > gss_OID_set *mechs); > > > > OM_uint32 gss_inquire_mech_attrs_for_mech( > > OM_uint32 *minor_status, > > const gss_OID mech, > > gss_OID_set *mech_attrs); > > Firstly, the name of the function is duplicated once. (I think the first > one is incorrect.) > Secondly, I think the first function is missing the exclude list of > attributes. Will fix. > > of programming language symbols with names beginning > > with GSS_C_MA_* is reserved for allocation by IESG Protocol Action > > (probably in the specifications of future GSS-API mechanisms). > > I suggest you delete text in (), as it is not binding on anyone. I think "probably" is a sure tip on a clue that the text is informative :) But sure, it's not useful either. > Also, the document creates a new IANA registry. It looks like section > 3.3 provides initial registrations, but the IANA Considerations section > doesn't tell that. I suggest adding a sentence pointing to section 3.3 > for IANA's sake. I will add that. Thanks! Nico -- _______________________________________________ Kitten mailing list Kitten@ietf.org https://www.ietf.org/mailman/listinfo/kitten
- Comments on draft-ietf-kitten-extended-mech-inqui… Alexey Melnikov
- Re: Comments on draft-ietf-kitten-extended-mech-i… Nicolas Williams