IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-krb-wg-gss-cb-hash-agility-08

Shawn Emery <shawn.emery@oracle.com> Tue, 29 November 2011 06:39 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C224F21F8BB1; Mon, 28 Nov 2011 22:39:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8aRoPvtZW4ld; Mon, 28 Nov 2011 22:39:03 -0800 (PST)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED5821F8B6D; Mon, 28 Nov 2011 22:39:03 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by rcsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pAT6cx9C030963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 Nov 2011 06:38:59 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id pAT6cwuT005061 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2011 06:38:58 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id pAT6cpJ1026625; Tue, 29 Nov 2011 00:38:51 -0600
Received: from [10.159.208.113] (/10.159.208.113) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 28 Nov 2011 22:38:50 -0800
Message-ID: <4ED47DD9.90209@oracle.com>
Date: Mon, 28 Nov 2011 23:38:17 -0700
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:7.0.1) Gecko/20111008 Thunderbird/7.0.1
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <AE31510960917D478171C79369B660FA0E18FA05F7@MX06A.corp.emc.com> <CAK3OfOhQs96fJdfMPem9P5VWuCH+A+N8fFOtQ2i+jfxdH6CgKw@mail.gmail.com>
In-Reply-To: <CAK3OfOhQs96fJdfMPem9P5VWuCH+A+N8fFOtQ2i+jfxdH6CgKw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090204.4ED47E04.0037,ss=1,re=0.000,fgs=0
Cc: draft-ietf-krb-wg-gss-cb-hash-agility.all@tools.ietf.org, kathleen.moriarty@emc.com, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-krb-wg-gss-cb-hash-agility-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2011 06:39:03 -0000

On 11/28/11 01:13 PM, Nico Williams wrote:
> On Mon, Nov 28, 2011 at 1:53 PM,<kathleen.moriarty@emc.com>  wrote:
>> I think the document is ready.  The only suggestion would be to consider expanding out the security consideration section to list any risks with using or not using channel bindings.  Right now, it states it is up to the application's policy, which is fine, but may leave developers with questions.
> This document is not really of interest to GSS-API application
> protocol developers -- they should be using RFCs 2743 and 5554.  This
> doc is intended primarily for Kerberos GSS mechanism implementors.

Perhaps I should mention something like this in the sec cons section and 
remove the second paragraph?

> That said, informative references to RFC 5056 and 5554 wouldn't hurt,
> and in any case I'm not opposed to the proposed change.

See above.

Shawn.
--

v2.23.0 | Report a Bug | By Email