Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL mechanism' to Proposed Standard (draft-ietf-sasl-gssapi)
Mark Crispin <MRC@CAC.Washington.EDU> Mon, 28 August 2006 23:32 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHqaj-0005CR-QA; Mon, 28 Aug 2006 19:32:29 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHqai-0005C2-Cl; Mon, 28 Aug 2006 19:32:28 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHpSD-00051D-8o; Mon, 28 Aug 2006 18:19:37 -0400
Received: from mxout7.cac.washington.edu ([140.142.32.178]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1GHp6F-0002tG-Im; Mon, 28 Aug 2006 17:56:57 -0400
Received: from smtp.washington.edu (smtp.washington.edu [140.142.32.139]) by mxout7.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW06.03) with ESMTP id k7SLusLK030854 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 28 Aug 2006 14:56:54 -0700
X-Auth-Received: from Tomobiki-Cho.CAC.Washington.EDU (tomobiki-cho.cac.washington.edu [128.95.135.58]) (authenticated authid=mrc) by smtp.washington.edu (8.13.7+UW06.06/8.13.7+UW06.03) with ESMTP id k7SLurw3024897 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 28 Aug 2006 14:56:54 -0700
Date: Mon, 28 Aug 2006 14:54:51 -0700
From: Mark Crispin <MRC@CAC.Washington.EDU>
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20060828214650.GR10208@binky.Central.Sun.COM>
Message-ID: <Pine.WNT.4.65.0608281446450.4760@Tomobiki-Cho.CAC.Washington.EDU>
References: <E1GHnYk-0006tr-P2@stiedprstage1.ietf.org> <Pine.WNT.4.65.0608281325160.4760@Tomobiki-Cho.CAC.Washington.EDU> <20060828214650.GR10208@binky.Central.Sun.COM>
Organization: Networks & Distributed Computing
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-PMX-Version: 5.2.0.264296, Antispam-Engine: 2.4.0.264935, Antispam-Data: 2006.8.28.100944
X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0'
X-Spam-Score: -2.5 (--)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: kitten@ietf.org, ietf-sasl@imc.org, iesg@ietf.org
Subject: Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL mechanism' to Proposed Standard (draft-ietf-sasl-gssapi)
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Errors-To: kitten-bounces@lists.ietf.org
On Mon, 28 Aug 2006, Nicolas Williams wrote: > Since this is all specific to the Kerberos V GSS-API mechanism I think > the value of this flag is irrelevant, so this change should not render > any earlier implementations non-compliant in terms of their on-the-wire > behaviour. In that case, it's all the more reason to use SHOULD instead of MUST. > (At least one implementation of the Kerberos V GSS mechanism used to > leave out confidentiality protection, but none, to my knowledge, fails > to provide MIC and/or wrap tokens when integ_req_flag == false in the > call to GSS_Init_sec_context().) However, a change in the GSSAPI shared library could, without change to the client code itself, render a client that fails to set integ_req_flag non-compliant over-the-wire. So we shouldn't count upon this. I just don't want a path where my old installed base is retroactively declared non-compliant, or a trap laid where external events could change that base to become non-compliant. It's an entirely different matter if the old code is not "non-compliant" but has (potential) behavior that is "deprecated" in favor of the new code which follows the new rule. > GSS_C_NO_CHANNEL_BINDINGS is only defined in the C bindings of the > GSS-API (RFC2744), whereas the base GSS-API specification (RFC2743) uses > "NULL" to mean "no channel bindings" (e.g., "...where NULL channel > bindings..." and "[w]hen non-NULL channel bindings are provided"). OK, consider that one withdrawn. Thanks. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum. _______________________________________________ Kitten mailing list Kitten@lists.ietf.org https://www1.ietf.org/mailman/listinfo/kitten
- Last Call: 'The Kerberos V5 ("GSSAPI") SASL mecha… The IESG
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Kurt D. Zeilenga
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Kurt D. Zeilenga
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Altman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Simon Josefsson
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Martin Rex
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Simon Josefsson
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Simon Josefsson
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Sam Hartman
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Nicolas Williams
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Mark Crispin
- Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL m… Jeffrey Hutzelman