Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

Chris Newman <Chris.Newman@Sun.COM> Fri, 27 July 2007 14:02 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IEQOd-0007Rb-BV; Fri, 27 Jul 2007 10:02:23 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IEQOb-0007RW-PC for tls@ietf.org; Fri, 27 Jul 2007 10:02:21 -0400
Received: from brmea-mail-2.sun.com ([192.18.98.43]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IEQOb-0005As-4g for tls@ietf.org; Fri, 27 Jul 2007 10:02:21 -0400
Received: from fe-amer-06.sun.com ([192.18.108.180]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l6RE2K58020400 for <tls@ietf.org>; Fri, 27 Jul 2007 14:02:20 GMT
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) id <0JLU00301C7CNI00@mail-amer.sun.com> (original mail from Chris.Newman@Sun.COM) for tls@ietf.org; Fri, 27 Jul 2007 08:02:20 -0600 (MDT)
Received: from [10.1.110.5] (dhcp-1695.ietf69.org [130.129.22.149]) by mail-amer.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPSA id <0JLU007H7CBTLV00@mail-amer.sun.com>; Fri, 27 Jul 2007 08:02:20 -0600 (MDT)
Date: Fri, 27 Jul 2007 09:03:04 -0500
From: Chris Newman <Chris.Newman@Sun.COM>
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
In-reply-to: <46A91838.5050705@secure-endpoints.com>
To: jaltman@secure-endpoints.com
Message-id: <4326E17DC83C408C88F440C0@446E7922C82D299DB29D899F>
MIME-version: 1.0
X-Mailer: Mulberry/3.1.6 (Mac OS X)
Content-type: text/plain; format="flowed"; charset="us-ascii"
Content-transfer-encoding: 7bit
Content-disposition: inline
References: <200707171840.l6HIeg9M018099@fs4113.wdf.sap.corp> <48A6320349FD1EDBE937A357@dhcp-26f9.ietf69.org> <C4E819FF73EA6ED22A3906CD@446E7922C82D299DB29D899F> <7CD9366321AC463125D19ED4@446E7922C82D299DB29D899F> <46A91838.5050705@secure-endpoints.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Jeffrey Altman wrote on 7/26/07 17:55 -0400:
> Chris Newman wrote:
>> I will certainly do that.  However, I recommend you talk to
>> application developers who consume TLS and GSSAPI/SSPI/SASL/EAP APIs
>> to see how they feel about these issues.
>>
> Chris:
>
> If I am reading you correctly, you would like to see proposals for
> example describing how the Windows SSPI and OpenSSL among other TLS
> implementations would need to be modified to support the described
> functionality.  I think that this is a very important consideration and
> I would be happy to propose changes for OpenSSL as I was involved in
> adding the support for TLS KRB5 to OpenSSL many years ago.

Yes.  And it's not just changes to the TLS stacks, but also to the applications 
that consume the TLS stacks.

I also encourage serious consideration of alternate approaches that involve 
fewer changes to the TLS stack.

                - Chris


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls