[SPKM] Re: Comments on draft-zhu-pku2u-01.txt
Jeffrey Hutzelman <jhutz@cmu.edu> Sun, 18 March 2007 23:24 UTC
Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HT4jW-0003rM-2y; Sun, 18 Mar 2007 19:24:14 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HT4jT-0003r8-Kq for spkm@ietf.org; Sun, 18 Mar 2007 19:24:11 -0400
Received: from minbar.fac.cs.cmu.edu ([128.2.185.161]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1HT4jS-0006XK-Ce for spkm@ietf.org; Sun, 18 Mar 2007 19:24:11 -0400
Received: from minbar.fac.cs.cmu.edu ([127.0.0.1]) by minbar.fac.cs.cmu.edu id aa11472; 18 Mar 2007 19:23 EDT
Date: Sun, 18 Mar 2007 19:23:50 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
X-X-Sender: <jhutz@minbar.fac.cs.cmu.edu>
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20070318122026.GJ22445@Sun.COM>
Message-ID: <Pine.LNX.4.33L.0703181912540.1982-100000@minbar.fac.cs.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: kitten@lists.ietf.org, andros@citi.umich.edu, Olga Kornievskaia <aglo@citi.umich.edu>, Michael.Eisler@netapp.com, spkm@ietf.org
Subject: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org
On Sun, 18 Mar 2007, Nicolas Williams wrote: > On Sat, Mar 17, 2007 at 03:04:39AM -0400, Jeffrey Hutzelman wrote: > > On Fri, 16 Mar 2007, Liqiang(Larry) Zhu wrote: > > > > > 6. User to User when applied by server policy > > > > > > In the case that the client application doesn't know that a service > > > requires user-to-user authentication, and requests and receives a > > > conventional KRB_AP_REP, the client will send the KRB_AP_REP > > > request, and the server will respond with a KRB_ERROR token as > > > described in RFC1964, with a msg-type of > > > KRB_AP_ERR_USER_TO_USER_REQUIRED (0x45). The server may optionally > > > pass the TGT in the data field of this error message. In response to > > > this error, the initiator sets flags and returns a > > > GSS_C_CONTINUE_NEEDED so that the next round uses the mechanism > > > described in section 4. > > > > While this is a token carrying a KRB_ERROR, it's not an "error token" in > > the sense that we're talking about. In the context of Olga's and my > > comments, an "error token" is one which causes the peer to abort context > > establishment and return an error status to its caller. Such a token > > should never be returned with GSS_S_CONTINUE_NEEDED, because no reply is > > expected. > > The quoted text does not call this an error token. No, it doesn't, but check the current thread. The current PKU2U document indicates that "In all cases, GSS_Accept_security_context returns GSS_S_CONTINUE_NEEDED... a KRB_ERROR if there was an error...". Olga's reading and mine is that this in some cases requires returning GSS_S_CONTINUE_NEEDED with an output token that is an "error token" as I define it above; that is, one which the initiator is expected to handle by aborting the context establishment (Olga didn't use the phrase "error token", but I did). Larry quoted the text from section 6 of the Kerberos U2U as a counterexample to my argument that when an error token is emitted, it should always come with a real error code, not GSS_S_CONTINUE_NEEDED. But the quoted text is not actually a counterexample, because although the token described containes a KRB-ERROR, it is not an "error token"; it is intended to trigger the U2U mechanism, which will result in another context token. The case described on page 5 of PKU2U-01 describes a token produced when "there was an error while processing the request or the local policy prevented a ticket from being issued." These are situations in which context establishment cannot continue, and the error token is intended to cause GSS_Init_sec_context to return an appropriate failure code. Since no further tokens are expected, the correct result code is something other than GSS_S_CONTINUE_NEEDED. More generally, a mechanism should return GSS_S_CONTINUE_NEEDED in exactly those cases where the peer is expected to send another token, and no others. -- Jeff _______________________________________________ SPKM mailing list SPKM@ietf.org https://www1.ietf.org/mailman/listinfo/spkm
- [SPKM] FW: I-D ACTION:draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Nicolas Williams
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Nicolas Williams
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Sam Hartman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- Re: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] RE: FW: I-D ACTION:draft-zhu-pku2u-01.txt Liqiang(Larry) Zhu
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- Re: [SPKM] RE: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Jeffrey Hutzelman
- [SPKM] Re: Comments on draft-zhu-pku2u-01.txt Martin Rex
- [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.txt Olga Kornievskaia
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- RE: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Liqiang(Larry) Zhu
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Nicolas Williams
- Re: [SPKM] Re: FW: I-D ACTION:draft-zhu-pku2u-01.… Martin Rex