Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt
Martin Rex <martin.rex@sap.com> Mon, 19 March 2007 17:32 UTC
Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTLix-0005RH-Si; Mon, 19 Mar 2007 13:32:47 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTLix-0005Qo-0M; Mon, 19 Mar 2007 13:32:47 -0400
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1HTLiS-0000B1-9f; Mon, 19 Mar 2007 13:32:46 -0400
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id TAA16256; Mon, 19 Mar 2007 19:31:57 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200703191731.SAA07246@uw1048.wdf.sap.corp>
Subject: Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt
To: lzhu@windows.microsoft.com
Date: Mon, 19 Mar 2007 18:31:51 +0100
In-Reply-To: <CAAAEFE273EAD341A4B02AAA9CA6F733051CAAA1@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com> from "Liqiang" at Mar 18, 7 04:50:30 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b280b4db656c3ca28dd62e5e0b03daa8
Cc: andros@citi.umich.edu, Michael.Eisler@netapp.com, kitten@lists.ietf.org, spkm@ietf.org, jhutz@cmu.edu
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org
Liqiang wrote: > > Jeffrey Hutzelman wrote: > > Why? How does the initiator handle these tokens? If it does so in any > > way other than by producing a new token, then the acceptor should not be > > returning GSS_S_CONTINUE_NEEDED. > > The deployment experience shows that if the client (instead of the > acceptor or the KDC) can log the error information, the cost of trouble > shooting is significantly lower. I do not agree. (OT: You might want to convince the MSIE/schannel maintainers, currently you need a debugger to figure our the SSL alert received by MSIE, MSIE itself presents just a useless "it may everything including sunspots" error messages, and its been doing this for 10 years). > > If the acceptor returns a KRB_ERROR message with a status that is > anything but GSS_S_CONTINUE_NEEDED, there is no guarantee and it is in > fact very unlikely that the trouble-shooting information can make it to > the client side in order to get logged. IMHO, that is more of an application problem than a Kerberos problem. With your approach, the error and all details will completely hidden from the Server and Server admins. I consider it a real problem when the error is NOT locally reported where it occurs. Whether and how much a client can do for trouble-shooting may be application specific! When helpdesk is called, the only information that is reliably available/accessible is that logged centrally on backends/servers. E.g. when my application notices a "wrong target name in request" type of error, it aborts the security context establishment and returns an error message at the "application level" conveying this error along with the name that the server uses for acquiring his own credentials. (since some gssapi mechanisms are poor at determining this error, my application framing protocol sends the target name along with the initial context establishment token and when gss_accept_sec_context() fails with an error it compares the accompanying target name with its own server name in order to decide whether it sends a "wrong target name" application level error message back to the client. -Martin > -----Original Message----- > From: Jeffrey Hutzelman [mailto:jhutz@cmu.edu] > Sent: Sunday, March 18, 2007 4:44 PM > To: Liqiang(Larry) Zhu > Cc: kitten@lists.ietf.org; Nicolas Williams; andros@citi.umich.edu; > Michael.Eisler@netapp.com; spkm@ietf.org > Subject: RE: Comments on draft-zhu-pku2u-01.txt > > On Sun, 18 Mar 2007, Liqiang(Larry) Zhu wrote: > > > The intention of the text in -01 is that if a KRB-ERROR message should > > be generated according to rfc4120, then GSS_S_CONTINUE_NEEDED MUST be > > returned. > > > Why? How does the initiator handle these tokens? If it does so in any > way other than by producing a new token, then the acceptor should not be > returning GSS_S_CONTINUE_NEEDED. > > > > _______________________________________________ > Kitten mailing list > Kitten@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/kitten > > _______________________________________________ > SPKM mailing list > SPKM@ietf.org > https://www1.ietf.org/mailman/listinfo/spkm > _______________________________________________ SPKM mailing list SPKM@ietf.org https://www1.ietf.org/mailman/listinfo/spkm
- [SPKM] FW: I-D ACTION:draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Nicolas Williams
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Nicolas Williams
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Sam Hartman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- Re: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] RE: FW: I-D ACTION:draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- RE: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Liqiang(Larry) Zhu
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex