Re: [TLS] Review of draft-santesson-tls-gssapi-03
Martin Rex <Martin.Rex@sap.com> Wed, 12 September 2007 16:12 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVUpk-0002NF-4n; Wed, 12 Sep 2007 12:12:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVUpi-0002N9-J9 for tls@lists.ietf.org; Wed, 12 Sep 2007 12:12:54 -0400
Received: from smtpde03.sap-ag.de ([155.56.68.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IVUpg-0002r2-Vv for tls@lists.ietf.org; Wed, 12 Sep 2007 12:12:54 -0400
Received: from sap.corp by smtpde03.sap-ag.de (26) with ESMTP id l8CGCOIc007641; Wed, 12 Sep 2007 18:12:24 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200709121612.l8CGC1OT007127@fs4113.wdf.sap.corp>
Subject: Re: [TLS] Review of draft-santesson-tls-gssapi-03
To: lzhu@windows.microsoft.com
Date: Wed, 12 Sep 2007 18:12:00 +0200
In-Reply-To: <B78121AEC3DFC949BF5080E7BCDD79F49BB7915B66@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> from "Larry Zhu" at Sep 11, 7 07:56:16 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: simon@josefsson.org, tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Larry Zhu wrote: > > > 5) Does the wire protocol differentiate between GSS_S_CONTINUE_NEEDED > > and GSS_S_COMPLETE? I'm thinking if the initial GSS_Init_sec_context > > call returns GSS_S_COMPLETE. The server will call > > GSS_Accept_sec_context which shouldn't return any data. The server > > sends back a 0b string. How can the client differentiate this from when > > GSS_Accept_sec_context returned GSS_S_CONTINUE_NEEDED? Perhaps the > > answer is that the client simply disconnect in this situation, but maybe > > that has to be noted. > > A note is added as follows: > > As implied by GSS-API, a GSS-API token SHOULD NOT be received after > the context is established (GSS_S_COMPLETE is returned), the receiver > MUST tear down the connection in this case. Only nitpicking: In the GSS-API original design, it is possible to receive a context-level token after having seen GSS_S_COMPLETE from the local context establishment function. The obvious and non-controversial case has been deprecated (the context deletion token). The specified behaviour was too pass this token to gss_process_context_token(). Whether or not an peer is allowed to create an context-level error token (not a delete token) that the peer does not expect is fairly unclear, however. Implementations of the Kerberos 5 gssapi mechanisms send such error tokens (containing a KRB_ERROR message) in some situations. I don't know whether these implementations refrain from sending the error token if the peer does not expect it (e.g. when the client does not request mutual authentication and uses an incorrect target name on a Microsoft Windows platform). I don't know what other GSS-API mechanisms (e.g. based on SPKM) have been doing in this area. The one thing that is clear from the GSS-API spec is that an application caller MUST NOT call a context establishment call (init_sec_context, accept_sec_context) on a context for which a previous call to the context establishment functions returned GSS_S_COMPLETE. If at all, such a token must be consumed through gss_process_context_token(). and in the two scenarios described in the GSS-API standard, the context deletion token and the context error token, this will result in the security context to become invalid/unusable... -Martin _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Review of draft-santesson-tls-gssapi-03 Simon Josefsson
- RE: [TLS] Review of draft-santesson-tls-gssapi-03 Larry Zhu
- RE: [TLS] Review of draft-santesson-tls-gssapi-03 Larry Zhu
- [TLS] Re: Review of draft-santesson-tls-gssapi-03 Simon Josefsson
- Re: [TLS] Review of draft-santesson-tls-gssapi-03 Martin Rex
- Re: [TLS] Re: Review of draft-santesson-tls-gssapā¦ Martin Rex
- [TLS] Re: Review of draft-santesson-tls-gssapi-03 Simon Josefsson
- RE: [TLS] Review of draft-santesson-tls-gssapi-03 Larry Zhu
- [TLS] RE: Review of draft-santesson-tls-gssapi-03 Larry Zhu
- [TLS] Re: Review of draft-santesson-tls-gssapi-03 Simon Josefsson
- [TLS] RE: Review of draft-santesson-tls-gssapi-03 Larry Zhu