Re: [secdir] review of draft-ietf-kitten-gssapi-naming-exts

Leif Johansson <> Tue, 20 July 2010 19:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 470BA3A6BF7; Tue, 20 Jul 2010 12:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aQNt4QsKOvtZ; Tue, 20 Jul 2010 12:14:17 -0700 (PDT)
Received: from ( [IPv6:2001:948:4:1::66]) by (Postfix) with ESMTP id 5AD723A6934; Tue, 20 Jul 2010 12:14:15 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id o6KJERfc009648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Jul 2010 21:14:29 +0200 (CEST)
Message-ID: <>
Date: Tue, 20 Jul 2010 21:14:27 +0200
From: Leif Johansson <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100217 Lightning/1.0b1 Shredder/3.0.3pre
MIME-Version: 1.0
To: Dan Harkins <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 20 Jul 2010 12:26:15 -0700
Subject: Re: [secdir] review of draft-ietf-kitten-gssapi-naming-exts
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Jul 2010 19:14:23 -0000

Hash: SHA1

On 07/20/2010 07:09 PM, Dan Harkins wrote:
>   Hello,
>   I have reviewed draft-ietf-kitten-gssapi-naming-exts as part of the
> security directorate's ongoing effort to review all IETF documents being
> processed by the IESG. These comments were written primarily for the
> benefit of the security area directors. Document editors and WG chairs
> should treat these comments just like any other last call comments.
>   This draft extends the GSS-API naming model to include support for
> "name attributes". This support can be used by an application to make
> authorization decisions. I found no problems in the draft that the
> ADs should take special note of.
>   The draft is well-written and introduces and uses terminology well,
> with one nit. It introduces terms with certain marking and then uses
> them either without the marking (which is fine) or with some other
> marking. For instance, "An attribute is 'authenticated' iff...." and
> then the concept of an authenticated attribute is used without the
> single quote. But sometimes attributes "MUST be represented as
> *authenticated* GSS-API name attributes named using the _same_ OID
> mapped to a URN." OK, so what's the significance of the asterisks now?
> And the underscore? I found no value in these marks and suggest removing
> them. If the authors intend for the marks to convey some meaning then
> perhaps a Notations section is in order.
>   One last nit: Section 6.2.1 refers to "(see comment above)" which should
> be "(see Section 5)".
>   regards,
>   Dan.

Thanks for the review Dan! Your comments are very valuable and I intend
to update the document accordingly.

	Cheers Leif
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla -