Re: [secdir] secdir review of draft-ietf-sasl-gs2-17
Nicolas Williams <Nicolas.Williams@sun.com> Mon, 23 November 2009 17:04 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B23183A68DE; Mon, 23 Nov 2009 09:04:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.603
X-Spam-Level:
X-Spam-Status: No, score=-5.603 tagged_above=-999 required=5 tests=[AWL=0.443, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+C+M6Q+Vsk5; Mon, 23 Nov 2009 09:04:23 -0800 (PST)
Received: from sca-ea-mail-3.sun.com (sca-ea-mail-3.Sun.COM [192.18.43.21]) by core3.amsl.com (Postfix) with ESMTP id AAACE28C0DC; Mon, 23 Nov 2009 09:04:22 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nANH4I5j012734; Mon, 23 Nov 2009 17:04:18 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id nANH4GUh062446; Mon, 23 Nov 2009 10:04:16 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nANGqZPi004019; Mon, 23 Nov 2009 10:52:35 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nANGqYsE004018; Mon, 23 Nov 2009 10:52:34 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Mon, 23 Nov 2009 10:52:34 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Glen Zorn <gwz@net-zen.net>
Message-ID: <20091123165233.GJ773@Sun.COM>
References: <000001ca6a19$665b3320$33119960$@net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <000001ca6a19$665b3320$33119960$@net>
User-Agent: Mutt/1.5.7i
Cc: simon@josefsson.org, secdir@ietf.org, 'Kurt Zeilenga' <Kurt.Zeilenga@Isode.com>, iesg@ietf.org, 'Alexey Melnikov' <alexey.melnikov@Isode.com>
Subject: Re: [secdir] secdir review of draft-ietf-sasl-gs2-17
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2009 17:04:24 -0000
On Fri, Nov 20, 2009 at 02:39:59PM -0500, Glen Zorn wrote: > GENERAL COMMENTS > The reference to a document is not the document; for example, in the > following excerpt from section 2, there are no names defined in the > reference to RFC 2743: > The document uses many terms and function names defined in [RFC2743] > as updated by [RFC5554]. > Please change to something like > The document uses many terms and function names defined in RFC 2743 > [RFC2743] > as updated by RFC 5554 [RFC5554]. > Note that this comment applies globally to all such usages in the document. I'm with Alexey on this. The RFC Editor might even re-write this by replacing the reference with the full title and reference. (Personally I very much dislike unnecessary redundancy, as in "defined in RFC 2743 [RFC2743]", but whatever style the RFC Editor thinks is appropriate and consistent with current RFC Editor practice is what we should go with. > ABSTRACT > The last sentence of the Abstract says: "See > <http://josefsson.org/sasl-gs2-*/> for more information." Unless the > referenced URL is intended to be permanently available (and probably even > then), this line should be removed before publication as an RFC. I think that's clearly not intended to remain in the final RFC, but to help reviewers understand the progression. I agree that this is best placed in a changelog-type section, but at this point it does not matter. > In paragraph 5, "The [RFC2743] section 3.1 initial context token header" has > the sound of GSSAPI "code words" ;-). Suggest changing to "The GSSAPIv2 > initial context token header (see section 3.1 of RFC 2743 [RFC2743])" or > some such. My attitude is that different technologies tend to have different terminology, and we can't forever be explaining it when we have documents that deal with more than one technology. In this case the reader is expected to, and indeed must have some familiarity with both, SASL and the GSS-API. I'm not sure how we could avoid that. The text in qquestion is very specific as to where you'll find the definition of "initial context token header": RFC2743, section 3.1. That should suffice; it's certainly better than writing a lengthy exposition on what a context token is, what an initial context token is, what an "initial context token header" is, and why it's there. (Also, FYI it's GSS-API, or GSS-API v2, update 1 -- not "GSSAPIv2". One of the many _annoying_ terminology bridging problems of the past is that the original SASL/GSS-API bridge wasn't named properly. As a result "GSS-API" means one thing, and "GSSAPI" (without the hyphen) can mean another, and you have to know the context in order to tell which it is. Better to always be careful to include the hyphen. This is really, really annoying. I hope this document will put that problem to bed for good once GS2 is widely adopted..) > SECTION 5 > I find this section rather difficult to understand: not all of the possible > combinations of gs2-cb-flag and server support for channel bindings seem to > be covered. A table might help, if not for that the gs2-cb-flag is > tri-valued & used to signal two different things. I believe we handled all cases. There are three flag values and two server support alternatives. I suppose we can add a table, something like: FLAG SERVER CB SUPPORT DISPOSITION ---- ----------------- ----------- n Irrelevant If server disallows non-channel- bound authentication, then fail y CB not supported Authentication may succeed y CB supported Authentication must fail p CB supported Authentication may succeed, with CB used p CB not supported Authentication will fail <none> CB not supported Client does not even try because it insists on CB Note the use of 'may', 'must' and 'will' in the above. "Authentication must fail" means that the server must fail authentication. "Authentication will fail" means that the GS2 message exchange will proceed but authentication will necessarily fail as a result of CB inputs differing on the client and server side. > SECTION 6 > This section needs a lot of work if it is expected to be understood by > non-members of the Illuminati ;->. Just one example (of many possible): > > Example #3: a two round-trip GSS-API context token exchange, no > channel binding, no standard token header. > > C: Request authentication exchange > S: Empty Challenge > C: F,n,,<initial context token without > standard header> > S: Send reply context token as is > C: Send reply context token as is > S: Send reply context token as is > C: Empty message > S: Outcome of authentication exchange > > What does this mean? What do 'F' & 'n' stand for? How is it useful? It > might be claimed that these questions could be answered by dissecting the > ABNF for the gs2 header, but I don't think that's a good answer: examples > should be self-contained. I don't agree. Example protocol exchanges need to be simplified -- we're trying show what the flows look like, not to be exacting in detail. The more explanation the example needs, the less clear it obviously is. In the example above the "<initial context token withoutstandard header>" makes it clear, if you've read the preceding sections, that the "F,n,," part is the GS2 header. We could add quotes to the F,n,, part, if you think that will help. > The first paragraph says: > > GS2 does not use any GSS-API per-message tokens. Therefore the > setting of req_flags related to per-message tokens is irrelevant. > > OK, but what should the client and server behavior should be WRT the flags? There's no actual behavior w.r.t. req_flags and ret_flags. The GSS-API mechanism is free to enable per-msg token features not requested by the caller, but they are truly irrelevant: the application won't be using per-msg tokens. It may make things simpler if we explicitly require that req_flags not be set: GS2 does not use any GSS-API per-message tokens. Therefore the per-message token ret_flags from GSS_Init_sec_context() and GSS_Accept_sec_context() are irrelevant; implementations SHOULD NOT set the per-message req_flags. Thanks! Nico --
- [secdir] secdir review of draft-ietf-sasl-gs2-17 Glen Zorn
- Re: [secdir] secdir review of draft-ietf-sasl-gs2… Nicolas Williams
- Re: [secdir] secdir review of draft-ietf-sasl-gs2… Alexey Melnikov
- Re: [secdir] secdir review of draft-ietf-sasl-gs2… Simon Josefsson
- Re: [secdir] secdir review of draft-ietf-sasl-gs2… Simon Josefsson