IETF Logo Mail Archive

[SPKM] Re: Comments on draft-zhu-pku2u-01.txt

Martin Rex <martin.rex@sap.com> Mon, 19 March 2007 15:26 UTC

Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTJkb-0002sh-NT; Mon, 19 Mar 2007 11:26:21 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTJka-0002sY-4K; Mon, 19 Mar 2007 11:26:20 -0400
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HTJkM-0003lO-Lj; Mon, 19 Mar 2007 11:26:20 -0400
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id RAA12622; Mon, 19 Mar 2007 17:25:34 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200703191525.QAA04217@uw1048.wdf.sap.corp>
To: lzhu@windows.microsoft.com
Date: Mon, 19 Mar 2007 16:25:34 +0100
In-Reply-To: <CAAAEFE273EAD341A4B02AAA9CA6F733051CA960@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com> from "Liqiang" at Mar 16, 7 07:01:09 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: kitten@lists.ietf.org, andros@citi.umich.edu, aglo@citi.umich.edu, Michael.Eisler@netapp.com, spkm@ietf.org, jhutz@cmu.edu
Subject: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

Liqiang wrote:
> 
> Jeff wrote:
> > This is a good point.  GSS_S_CONTINUE_NEEDED indicates that it will be
> > necessary to make the call again with another token provided by the peer. 
> > When GSS_Init_sec_context or GSS_Accept_sec_context emits an error token, 
> > it should also return an appropriate error status, not 
> > GSS_S_CONTINUE_NEEDED.
> 
> This is not necessary accurate. In the User2User protocol,
> http://www.watersprings.org/pub/id/draft-swift-win2k-krb-user2user-03.txt,
> the server can return a KRB_ERROR with the GSS_S_CONTINUE_NEEDED status.

Returning a KRB_ERROR token along with GSS_S_CONTINUE_NEEDED minor_status
from gss_accept_sec_context() is defintely *NOT* allowed by rfc-1964.

There seems to be text describing a backward incompatible change in
rfc-4121 last paragraph of section 4.1, (top of page 5) which
allows such misbehaviour for the specific case of an unknown token ID:

   If an unknown token identifier (TOK_ID) is received in the initial
   context establishment token, the receiver MUST return
   GSS_S_CONTINUE_NEEDED major status, and the returned output token
   MUST contain a KRB_ERROR message with the error code
   KRB_AP_ERR_MSG_TYPE [RFC4120].

But since the spec is entirely silent about how the client can continue
to produce a successful security context establishment from that point on,
it is sufficiently incomplete to be unusuable.

SSPI has been returning KRB_ERROR tokens along with CONTINUE_NEEDED
status from the beginning, in an undocumented/unspecified fashion,
non-interoperable with rfc-1964 based Kerberos implementations.

-Martin

_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email