IETF Logo Mail Archive

Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt

Sam Hartman <hartmans-ietf@mit.edu> Mon, 19 March 2007 16:13 UTC

Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTKUO-0006ND-Rd; Mon, 19 Mar 2007 12:13:40 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTKUO-0006N3-Fc for spkm@ietf.org; Mon, 19 Mar 2007 12:13:40 -0400
Received: from dhcp-1226.ietf68.org ([130.129.18.38] helo=carter-zimmerman.mit.edu) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1HTKUN-0002Fy-2q for spkm@ietf.org; Mon, 19 Mar 2007 12:13:40 -0400
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id EF41BE031C; Mon, 19 Mar 2007 12:13:22 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt
References: <Pine.LNX.4.33L.0703181955190.1982-100000@minbar.fac.cs.cmu.edu>
Date: Mon, 19 Mar 2007 12:13:22 -0400
In-Reply-To: <Pine.LNX.4.33L.0703181955190.1982-100000@minbar.fac.cs.cmu.edu> (Jeffrey Hutzelman's message of "Sun, 18 Mar 2007 19:58:50 -0400 (EDT)")
Message-ID: <tslejnlw6sd.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Cc: Michael.Eisler@netapp.com, kitten@lists.ietf.org, spkm@ietf.org, andros@citi.umich.edu
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz@cmu.edu> writes:

    Jeffrey> On Sun, 18 Mar 2007, Liqiang(Larry) Zhu wrote:
    >> Jeffrey Hutzelman wrote: > Why?  How does the initiator handle
    >> these tokens?  If it does so in any > way other than by
    >> producing a new token, then the acceptor should not be >
    >> returning GSS_S_CONTINUE_NEEDED.
    >> 
    >> The deployment experience shows that if the client (instead of
    >> the acceptor or the KDC) can log the error information, the
    >> cost of trouble shooting is significantly lower.
    >> 
    >> If the acceptor returns a KRB_ERROR message with a status that
    >> is anything but GSS_S_CONTINUE_NEEDED, there is no guarantee
    >> and it is in fact very unlikely that the trouble-shooting
    >> information can make it to the client side in order to get
    >> logged.

    Jeffrey> No; you are confused.  GSS_S_CONTINUE_NEEDED does not
    Jeffrey> mean "there is a token to send to the peer".  It means
    Jeffrey> "another token is expected from the peer".  Any token
    Jeffrey> produced by GSS_Accept_sec_context should be sent to the
    Jeffrey> peer regardless of the returned status code.

    Jeffrey> Behaving otherwise violates the abstraction and will
    Jeffrey> break application protocols which expect the GSS-API to
    Jeffrey> behave as specified, regardless of which mechanism is
    Jeffrey> being used.

I strongly agree with Jeff here.


_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email