IETF Logo Mail Archive

Re: [SPKM] Interoperability

Martin Rex <martin.rex@sap.com> Fri, 03 November 2006 19:36 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gg4qD-0000Q8-SM; Fri, 03 Nov 2006 14:36:37 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gg4qD-0000NN-4E for spkm@ietf.org; Fri, 03 Nov 2006 14:36:37 -0500
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gg4q9-0005ki-N4 for spkm@ietf.org; Fri, 03 Nov 2006 14:36:37 -0500
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id UAA21089; Fri, 3 Nov 2006 20:36:20 +0100 (MEZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200611031936.UAA16703@uw1048.wdf.sap.corp>
Subject: Re: [SPKM] Interoperability
To: Nicolas.Williams@sun.com
Date: Fri, 03 Nov 2006 20:36:19 +0100
In-Reply-To: <20061031211246.GT28107@binky.Central.Sun.COM> from "Nicolas Williams" at Oct 31, 6 03:12:46 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc: hartmans-ietf@mit.edu, spkm@ietf.org
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

Nicolas Williams wrote:
> 
> On Tue, Oct 31, 2006 at 02:23:50PM -0500, Sam Hartman wrote:
> > * When will we get a spec out?  How long will the market wait?
> >   Sometimes, you have to accept that the market will deploy something
> >   and you have little influence on it.  In those cases it's better to
> >   write a compelling spec and hope that people will migrate.  Other
> >   times, if you can stretch to meet market timing, you can avoid the
> >   market deploying something that does not meet your spec.  That is
> >   very desirable.
> 
> If we cannot get a spec that will meet our needs in time for the market
> then the proposed protocol could go to Informational and a spec that
> does meet our needs can later go to Proposed-Standard, using a different
> OID.

There is a problem in the traditional (simple) GSS-API and how it is
embedded within several application protocols, that there is no
negotiation of a mechanism (OID).  In real distributed environments,
where a component is both, server and client, a switch to a new
OID might require a "flag day".  Depending on the implementation
(and we know that SPKM is underspecified in this area), an updated
enhanced GSS-API mechanism might use the new OID also in the
generic framing of the exported binary canonical name, and
as a result might not reuse any of the existing ACLs based
on binary canonical names...

The use of the mechanism OID in the generic framing of exported
binary canonical names was (primarily) meant to prevent accidental
collisions of two names from distinct namespaces referring to
distinct entities, not to ultimately require distinct exported
names based on the employed authentication mechanism (although
I admit that some saw this as a potential feature, being able
to distinguish mechanisms of different strength in the ACL).

Personally, I see a real benefit if mechanisms sharing a common
namespace can share ACLs, be that ACLs with printable or
binary canonical names.

-Martin



_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email