IETF Logo Mail Archive

[TLS] RE: Last call comments for draft-santesson-tls-(ume-04, supp-00)

"Stefan Santesson" <stefans@microsoft.com> Tue, 04 April 2006 09:24 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FQhm9-0006Ow-Io; Tue, 04 Apr 2006 05:24:37 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FQhm9-0006Or-6w for tls@ietf.org; Tue, 04 Apr 2006 05:24:37 -0400
Received: from mail-eur.microsoft.com ([213.199.128.145]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FQhm8-0004OG-T1 for tls@ietf.org; Tue, 04 Apr 2006 05:24:37 -0400
Received: from EUR-MSG-11.europe.corp.microsoft.com ([65.53.193.196]) by mail-eur.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 4 Apr 2006 10:24:36 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 04 Apr 2006 10:24:32 +0100
Message-ID: <BF9309599A71984CAC5BAC5ECA629944048E9BB0@EUR-MSG-11.europe.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Last call comments for draft-santesson-tls-(ume-04,supp-00)
thread-index: AcZXMNuFCJ5G2HbVRSS7TaRmlAeEswAQZuvgABV7OUAAAEnKQA==
From: Stefan Santesson <stefans@microsoft.com>
To: Pasi.Eronen@nokia.com, housley@vigilsec.com
X-OriginalArrivalTime: 04 Apr 2006 09:24:36.0009 (UTC) FILETIME=[9700C190:01C657C9]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7fa173a723009a6ca8ce575a65a5d813
Cc: tls@ietf.org
Subject: [TLS] RE: Last call comments for draft-santesson-tls-(ume-04, supp-00)
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Will do.

Stefan Santesson
Program Manager, Standards Liaison
Windows Security


> -----Original Message-----
> From: Pasi.Eronen@nokia.com [mailto:Pasi.Eronen@nokia.com]
> Sent: den 4 april 2006 11:17
> To: Stefan Santesson; housley@vigilsec.com
> Cc: tls@ietf.org
> Subject: RE: Last call comments for
draft-santesson-tls-(ume-04,supp-00)
> 
> Stefan,
> 
> Thanks for the clarification. Please include text about this
> in the draft as well.
> 
> Best regards,
> Pasi
> 
> > -----Original Message-----
> > From: ext Stefan Santesson [mailto:stefans@microsoft.com]
> > Sent: 04 April, 2006 02:08
> > To: Russ Housley; Eronen Pasi (Nokia-NRC/Helsinki)
> > Cc: tls@ietf.org
> > Subject: RE: Last call comments for
> > draft-santesson-tls-(ume-04,supp-00)
> >
> > Sometimes it is sufficient to specify the domain as the user name is
> > provided by the cert but that cert is used to access multiple
accounts
> > in different domains. In other cases the full name@domain is needed.
> >
> > We chose to provide for both alternatives using the same hint type.
> > This works well and I would prefer to keep it that way.
> >
> >
> > Stefan Santesson
> > Program Manager, Standards Liaison
> > Windows Security
> >
> >
> > > -----Original Message-----
> > > From: Russ Housley [mailto:housley@vigilsec.com]
> > > Sent: den 3 april 2006 17:10
> > > To: Pasi.Eronen@nokia.com; Stefan Santesson
> > > Cc: tls@ietf.org
> > > Subject: RE: Last call comments for
> > draft-santesson-tls-(ume-04,supp-00)
> > >
> > > Pasi:
> > >
> > > My comments were with respect to the user_principal_name within
the
> > > UpnDomainHint.  Sorry for being ambiguous.
> > >
> > > Russ
> > >
> > >
> > > >Russ Housley wrote:
> > > > >
> > > > > Pasi:
> > > > >
> > > > > >4) tls-ume: Would it make sense to define two UserMappingData
> > types,
> > > > > >    one for "user@domain" and another one for just "domain",
> > instead
> > > > > >    of combining them in one type?
> > > > >
> > > > > I do not think so.  The name is user@domain.  It would be
> > meaningless
> > > > > if only user was present, and t would me meaningless if only
> > domain
> > > > > was present.
> > > >
> > > >I don't know if it's meaningless or not, but the current draft
does
> > > >say that
> > > >
> > > >    The UpnDomainHint MUST at least contain a non empty
> > > >    user_principal_name or a non empty domain_name. The
> > UpnDomainHint
> > > >    MAY contain both user_principal_name and domain_name.
> > > >
> > > >In other words, one of the fields can be empty. And since the
> > > >user_principal_name field is of the form "user@domain",
> > > >it looks like the UpnDomainHint structure can actually contain
> > > >two _different_ domain names. In other words, the spec does
> > > >allow things like:
> > > >
> > > >   UserMappingData {
> > > >     user_mapping_version = upn_domain_hint(0)
> > > >     UpnDomainHint {
> > > >       user_principal_name = "foo@example.com"
> > > >       domain_name = "bar.example.net"
> > > >     }
> > > >   }
> > > >
> > > >But the draft currently does not explain what this would mean,
> > > >or what the domain-name-only hints are (perhaps they're
> > "Host Mapping
> > > >Data" for host certificates instead of user certs, or something).
> > > >This needs to be clarified.
> > > >
> > > >Best regards,
> > > >Pasi
> >
> >

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email