Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG
Nico Williams <nico@cryptonector.com> Wed, 13 February 2013 15:41 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C54CE21F86F8 for <kitten@ietfa.amsl.com>; Wed, 13 Feb 2013 07:41:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.824
X-Spam-Level:
X-Spam-Status: No, score=-3.824 tagged_above=-999 required=5 tests=[AWL=-1.847, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hb9oFEnssZbP for <kitten@ietfa.amsl.com>; Wed, 13 Feb 2013 07:41:32 -0800 (PST)
Received: from homiemail-a72.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id C0DF021F86FD for <kitten@ietf.org>; Wed, 13 Feb 2013 07:41:32 -0800 (PST)
Received: from homiemail-a72.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTP id C1F8C6B0070 for <kitten@ietf.org>; Wed, 13 Feb 2013 07:41:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=f4snrENd2c+zjQL88tPhp6xrMGA=; b=g6j1u6vZwvQ LsKx3g8ko9IFPk3eZepBPT85CAYbaCsNRF6BShqegmp9M71PvLIiFDjZARbkMohR LPKRTpIVJ3cTP/etoaemaKgs1NG2TgFUpD152IIckEO0ESaXwYBmZsm2zrWr7l9P PCjrg7Jkef9BRYpmXY2MLYKCU0LIdYvM=
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTPSA id 50D696B0059 for <kitten@ietf.org>; Wed, 13 Feb 2013 07:41:30 -0800 (PST)
Received: by mail-wi0-f179.google.com with SMTP id ez12so1563056wid.12 for <kitten@ietf.org>; Wed, 13 Feb 2013 07:41:28 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.180.79.201 with SMTP id l9mr10831192wix.20.1360770088830; Wed, 13 Feb 2013 07:41:28 -0800 (PST)
Received: by 10.217.39.133 with HTTP; Wed, 13 Feb 2013 07:41:28 -0800 (PST)
In-Reply-To: <D5847DD823005F4E9DB94FE77DCEDF68121BB11F@ALVMBXW01.prod.quest.corp>
References: <D5847DD823005F4E9DB94FE77DCEDF68121BB11F@ALVMBXW01.prod.quest.corp>
Date: Wed, 13 Feb 2013 09:41:28 -0600
Message-ID: <CAK3OfOig_D5T082KtJw+0t95YdOekgCzahBvW9m+msg3yZR6sQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Thomas Maslen <Thomas.Maslen@quest.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 15:41:33 -0000
On Tue, Feb 12, 2013 at 11:23 PM, Thomas Maslen <Thomas.Maslen@quest.com> wrote: > This is a general comment on draft-williams-kitten-channel-bound-flag-01 from the perspective of Java GSSAPI (RFC 5653). I really appreciate this comment. Thanks! > NOTE: This is just my personal 0.02. It doesn't necessarily reflect the views of my employer (Quest, now part of Dell). Also, I have no affiliation with Oracle, so I'm definitely not speaking for them. With that out of the way... Several years ago the JCP ceded ownership of the JGSS API to the IETF. This doesn't mean that Oracle will implement whatever we standardize, or any other Java implementor for that matter, but it does mean we can pursue JGSS extensions here. > To solve this problem for the Java GSSAPI (RFC 5653), I think that it would be more natural to do any one of the following: Sure, new methods make a lot more sense for the JGSS than a set cred option method on credentials. I completely agree. I'd probably go for a context method (your option (d)) rather than a new channel binding constructor, but it's roughly all the same, yes? > To me, any of those feels much more natural than doing something tricky via the GSSCredential. Absolutely. The Java bindings of the GSS-API has a fairly different model from the abstract and C bindings. For Java we should follow the pattern already set for the Java bindings. > I think I understand why you have to resort to (from my perspective) somewhat unnatural acts for the C bindings -- you can't add a field to the gss_channel_bindings_struct because that would break badly, and you (very reasonably, per your section 1.2) don't want to change the signature of gss_accept_sec_context() -- but IMO it would be unfortunate if a problem that is specific to the C bindings led to a perverse design in the abstract GSSAPI (RFC 2743) and in the Java bindings. It's because there's no constructor for gss_ctx_id_t values. You have to call gss_init/accept_sec_context() with a null context initially. Also, we already have gss_set_cred_option() in several C implementations -- it made sense to re-use what we already had for this sort of extension. > For example, I don't think that the Java bindings really need GSS_C_CHANNEL_BOUND_CRED_OPT_OID, and for that matter I'm not sure that the abstract GSSAPI does either. Agreed as to the first part. As for the abstract API, it and the C bindings resemble each other fairly closely, so I'd rather keep that resemblance, but I'm open to alternatives. After all, this option is only a credential option in the sense that credentials are the convenient carrier for the option -- there are other options that are more like credential options (e.g., options related to cipher suite policies, but these too would exist primarily to affect cipher suite negotiation for security context establishment, so maybe this is a bad example). I have to agree too with the unstated sentiment that there are some flaws in the abstract API and C bindings, namely: - no app/library context handle - minor status is too small to encode desired error information - the lack of both an app/library context handle and a constructor for "empty" security contexts means that we don't get to pass in any kinds of options except via req_flags and then only in gss_init_sec_context() I could go on. That's a start. However, this is the API we have. I have toyed before with a version 3 of the API to correct all of these and many more problems (e.g., memory management issues in the C bindings). However, that would be a huge undertaking that I have neither the energy nor the funding for, and even if I did, I'd still have the immense task of getting the new API adopted. I've settled for accepting the flaws of the standard API and the barnacles that implementations have gathered over the years, though not without some sadness. Nico --
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Luke Howard
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Luke Howard
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Luke Howard
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Luke Howard
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Sam Hartman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Jeffrey Hutzelman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Sam Hartman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Sam Hartman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Jeffrey Hutzelman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Jeffrey Hutzelman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Luke Howard
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Luke Howard
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Jeffrey Hutzelman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Thomas Maslen
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Sam Hartman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Jim Schaad
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Sam Hartman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Jim Schaad
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Sam Hartman
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Martin Rex
- Re: [kitten] We need a GSS_C_CHANNEL_BOUND_FLAG Nico Williams