[secdir] SecDir review for draft-ietf-kitten-rfc5653bis-05
"Polk, Tim (Fed)" <william.polk@nist.gov> Mon, 13 November 2017 07:35 UTC
Return-Path: <william.polk@nist.gov>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B813128D19; Sun, 12 Nov 2017 23:35:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ly-0X_RgYC8V; Sun, 12 Nov 2017 23:35:35 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0104.outbound.protection.outlook.com [23.103.200.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C2E112008A; Sun, 12 Nov 2017 23:35:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/MyHatIrUW/+ds8l4lK91BQN6Ijs6f/duMdS6uYLaEk=; b=jqyr54OGW1UJyj8vhCRvkNJZvhz0jCsXwkUDxMw/ImOiC+KcmhdqVe8AMxnMItuTUr2FPL8l4vzM7f1kC88G+w5axIwnp4r6fTZH3jt774JEm+DsQTjLE+M89PyaY0pcfRET+YCOgM8ir+pekHPAZnrgYO1V043S3Wo/13pbG5Y=
Received: from DM2PR09MB0559.namprd09.prod.outlook.com (10.161.252.17) by DM2PR09MB0558.namprd09.prod.outlook.com (10.161.252.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.218.12; Mon, 13 Nov 2017 07:35:29 +0000
Received: from DM2PR09MB0559.namprd09.prod.outlook.com ([fe80::6da1:a841:ddf4:3981]) by DM2PR09MB0559.namprd09.prod.outlook.com ([fe80::6da1:a841:ddf4:3981%17]) with mapi id 15.20.0218.011; Mon, 13 Nov 2017 07:35:29 +0000
From: "Polk, Tim (Fed)" <william.polk@nist.gov>
To: The IESG <iesg@ietf.org>, IETF Security Directorate <secdir@ietf.org>, "draft-ietf-kitten-rfc5653bis.all@ietf.org" <draft-ietf-kitten-rfc5653bis.all@ietf.org>
Thread-Topic: SecDir review for draft-ietf-kitten-rfc5653bis-05
Thread-Index: AQHTXE0xl6pG5DKi30SfB1PCDVpoHA==
Date: Mon, 13 Nov 2017 07:35:29 +0000
Message-ID: <DM2PR09MB0559AC9F6055FE230F22099BE72B0@DM2PR09MB0559.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=william.polk@nist.gov;
x-originating-ip: [2001:67c:370:128:19a4:a67a:5007:42b4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0558; 6:M4i9so8dFwjJxnRVQqgGNZ0uvjSt2fDDLoiU4c0ntX3SLYMNLDjJzL7NfAiMActxd3ScO6nXoDX7176rw5Zfgv2xZkezQw3x2jawa7xdeoZh0iiDQXo+t2VKRo0s3TF98JOXkFMsytAe5ka9oumQQfmFFPqSF7c5W8BsOLwWPEVd6+eK46ipzXVdjiSUx/8mL2S1H2M6rv9HP0+pQ2uaa9kbKmJSreoH/6vqzdZBinB0U+0eyUiuMDgHFCS6YY2MUAIChvh2MM3AXlHIr5HeBoCVkuIa8K3ZPYD2mO8/c8zc/g3LydgOer26IpiTR3nvQ/wNiPILh9rQGnYX3OYh9NNE6i6Gvr8zal1EOL4gf6U=; 5:GEqWTXamn1K2aGP0BZJhl0dRCvonLczOXeXdftVIhUa5rGco+8jL4IR67Ga+4ufuQjBzOayDA3urHkDGb/OkAXCIMQ2ldjpJ4wD/qNtNCRdWRicFwzLvUKr6Yx+fdZpuT5Z52IJvI2Cpl0V+iTjvgKbRK1Ux7NO2NgDg3vFQu+U=; 24:in9oBMULlPxVhlvBGQOweMdlu3EFXbv4TcgB+rQAjncFKQSGThkiqL5pPe9t3ejHD+6iQ7deJFr8/bhEF6yhl9KYTK/2KAtUh0IgIslzgXE=; 7:oKKApkge89X3chMDIyYR7mh2FFbiNrO7C284ZyHDZLoBYaoSvxCsvW00wP3lcmGyp6wXTsh08zKLeGGUnIijv1j3jYNvkQFgZToTiiZQoEXXsSTYPho+Yr36EwL2pDy0JuuevOfBwGRFVvhQ23f5eeOHtw54HKi+EqxFtENCRlvgyXfJA7rOZfjzhIIjTrGnM+51dMFyb86exKNgA6a7EppiVQeki6q/WqOr8sybrJO7mGa9ofKppNkt2b8SAMbg
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 49a1e865-bd7d-47c0-0768-08d52a691d64
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(2017052603258); SRVR:DM2PR09MB0558;
x-ms-traffictypediagnostic: DM2PR09MB0558:
x-microsoft-antispam-prvs: <DM2PR09MB0558984F7BF26D13599FD117E72B0@DM2PR09MB0558.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231022)(93006095)(93001095)(100000703101)(100105400095)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR09MB0558; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR09MB0558;
x-forefront-prvs: 0490BBA1F0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(346002)(376002)(189002)(199003)(99286004)(3280700002)(3660700001)(54896002)(68736007)(101416001)(2501003)(86362001)(55016002)(2906002)(102836003)(6116002)(14454004)(6436002)(7736002)(6506006)(6606003)(7696004)(33656002)(478600001)(105586002)(106356001)(110136005)(53936002)(189998001)(97736004)(19627405001)(9686003)(8936002)(54356999)(50986999)(450100002)(81166006)(5250100002)(2900100001)(81156014)(8676002)(53336002)(74316002)(5660300001)(230783001)(316002)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0558; H:DM2PR09MB0559.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR09MB0559AC9F6055FE230F22099BE72B0DM2PR09MB0559namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: 49a1e865-bd7d-47c0-0768-08d52a691d64
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2017 07:35:29.4726 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0558
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/0zt_zsyzjSSy-RP-6wZwdhHp8PI>
Subject: [secdir] SecDir review for draft-ietf-kitten-rfc5653bis-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 07:35:37 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready. This document is a straightforward update of RFC 5653: 1. The draft modifies GSSException to support an embedded error token; as specified in RFC 5653 a JGSS application throwing a GSSException could not return an error token, a functional shortcoming in comparison with the C bindings of GSS-API (see RFC 2744). The embedded error token corrects this shortcoming. The document describes a compatibility strategy for new JGSS programs that run with both RFC5653 and RFC5653bis Java bindings. 2. The draft removes stream-based GSSContext methods. These methods cannot be implemented correctly where tokens have no self-framing or the library has no knowledge of the token format. The document states that applications using input and output streams as the means to convey authentication and per-message GSS-API tokens should also define the wire protocol. The reviewer infers that new applications using this design strategy should be compatible with RFC5653 bindings, but that is not explicitly stated.
- [secdir] SecDir review for draft-ietf-kitten-rfc5… Polk, Tim (Fed)