IETF Logo Mail Archive

Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt

Nicolas Williams <Nicolas.Williams@sun.com> Wed, 18 April 2007 21:11 UTC

Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HeHQw-0003wm-UN; Wed, 18 Apr 2007 17:11:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HeHQv-0003wG-J7 for spkm@ietf.org; Wed, 18 Apr 2007 17:11:22 -0400
Received: from sca-ea-mail-2.sun.com ([192.18.43.25]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HeHQo-0004Ni-FL for spkm@ietf.org; Wed, 18 Apr 2007 17:11:21 -0400
Received: from centralmail3brm.Central.Sun.COM ([129.147.62.199]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id l3ILBDlb000265 for <spkm@ietf.org>; Wed, 18 Apr 2007 21:11:13 GMT
Received: from binky.central.sun.com (binky.Central.Sun.COM [129.153.128.104]) by centralmail3brm.Central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id l3ILBDUl011336 for <spkm@ietf.org>; Wed, 18 Apr 2007 15:11:13 -0600 (MDT)
Received: from binky.central.sun.com (localhost [127.0.0.1]) by binky.central.sun.com (8.13.8+Sun/8.13.6) with ESMTP id l3ILAEPn010539; Wed, 18 Apr 2007 16:10:14 -0500 (CDT)
Received: (from nw141292@localhost) by binky.central.sun.com (8.13.8+Sun/8.13.8/Submit) id l3ILAEdM010538; Wed, 18 Apr 2007 16:10:14 -0500 (CDT)
X-Authentication-Warning: binky.central.sun.com: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Wed, 18 Apr 2007 16:10:14 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Martin Rex <Martin.Rex@sap.com>
Subject: Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt
Message-ID: <20070418211013.GT4375@Sun.COM>
Mail-Followup-To: Martin Rex <Martin.Rex@sap.com>, lzhu@windows.microsoft.com, aglo@citi.umich.edu, spkm@ietf.org, kitten@lists.ietf.org
References: <20070418205355.GS4375@Sun.COM> <200704182103.l3IL3tQb025387@fs4113.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <200704182103.l3IL3tQb025387@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: aglo@citi.umich.edu, spkm@ietf.org, kitten@lists.ietf.org
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

On Wed, Apr 18, 2007 at 11:03:55PM +0200, Martin Rex wrote:
> > We should probably consider whether we want to RECOMMEND, or even
> > REQUIRE that that header be added to all security context establishment
> > tokens, not just the initial one.
> > 
> > But until somebody tables that matter we should not consider
> > RFC1964/4121 as imposing such a requirement on other mechanism that use
> > different mechanism OIDs.
> 
> Require, because it will amount to less code, less complexity and less
> confusion.  The overhead is negligable.  I don't expect any implementation
> of PKU2U to NOT provide rfc1964/rfc4121 functionality as well, despite
> the seperate mechanism OID.

I can't tell if RFC2478/4178 require that header on non-initial SPNEGO
context tokens, but our implementation does NOT put it on any SPNEGO
context token other than the initial one.  Did we miss this?

This requirement, if we wanted to make it, would have to apply only to
future Standards-Track mechs.

> > That said, there's this interesting question: PKU2U re-uses RFC4121 for
> > everything following PKU2U's first two security context tokens (which
> > are KDC messages between the initiator and the acceptor acting as a
> > pseudo-KDC), so, should those context tokens lifted from RFC4121 bear
> > this header?
> 
> I really want to see the generic framing on all context level tokens
> (which is what you meant by header, I assume).

Yes, that's what I meant by 'header'.

> Could it be that you actually didn't want to ask about the framing,
> but about the mechanism OID within the header (if it is present)?

No.

> I'd like to see the generic framing, and I'd like to see it with
> the same mechanism OID as in the initial context token (which is
> different from rfc1964/rfc2141).

Yes, if the generic header is on all context tokens then the same OID
has to be used for all those context tokens for any given security
context.

Nico
-- 

_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email