RE: [TLS] Review of draft-santesson-tls-gssapi-03
Larry Zhu <lzhu@windows.microsoft.com> Fri, 14 September 2007 21:06 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWIMV-0004Zv-GI; Fri, 14 Sep 2007 17:06:03 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWIMT-0004Zq-MZ for tls@lists.ietf.org; Fri, 14 Sep 2007 17:06:01 -0400
Received: from smtp.microsoft.com ([131.107.115.215]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IWIMS-0002TG-Fa for tls@lists.ietf.org; Fri, 14 Sep 2007 17:06:01 -0400
Received: from tk1-exhub-c103.redmond.corp.microsoft.com (157.56.116.114) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.1.177.2; Fri, 14 Sep 2007 14:05:59 -0700
Received: from tk5-exmlt-w602.wingroup.windeploy.ntdev.microsoft.com (157.54.70.14) by tk1-exhub-c103.redmond.corp.microsoft.com (157.56.116.114) with Microsoft SMTP Server id 8.1.177.1; Fri, 14 Sep 2007 14:05:59 -0700
Received: from tk5-exmlt-w600.wingroup.windeploy.ntdev.microsoft.com (157.54.70.135) by TK5-EXMLT-W602.wingroup.windeploy.ntdev.microsoft.com (157.54.70.14) with Microsoft SMTP Server (TLS) id 8.1.122.1; Fri, 14 Sep 2007 14:05:59 -0700
Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80:0000:0000:0000:0000:5efe:10.255.255.2]) by tk5-exmlt-w600.wingroup.windeploy.ntdev.microsoft.com ([157.54.70.135]) with mapi; Fri, 14 Sep 2007 14:05:59 -0700
From: Larry Zhu <lzhu@windows.microsoft.com>
To: "martin.rex@sap.com" <martin.rex@sap.com>
Date: Fri, 14 Sep 2007 14:05:56 -0700
Subject: RE: [TLS] Review of draft-santesson-tls-gssapi-03
Thread-Topic: [TLS] Review of draft-santesson-tls-gssapi-03
Thread-Index: Acf1V82G3HK5fKy3TRaw6QmsGaiz6gBuxpiw
Message-ID: <B78121AEC3DFC949BF5080E7BCDD79F49D5D76A021@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
References: <B78121AEC3DFC949BF5080E7BCDD79F49BB7915B66@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> from "Larry Zhu" at Sep 11, 7 07:56:16 pm <200709121612.l8CGC1OT007127@fs4113.wdf.sap.corp>
In-Reply-To: <200709121612.l8CGC1OT007127@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Spam-Score: -108.0 (---------------------------------------------------)
X-Scan-Signature: 92df29fa99cf13e554b84c8374345c17
Cc: "simon@josefsson.org" <simon@josefsson.org>, "tls@lists.ietf.org" <tls@lists.ietf.org>
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
> Only nitpicking: In the GSS-API original design, it is possible to > receive a context-level token after having seen GSS_S_COMPLETE from > the local context establishment function. Right, it should be further qualified as "context establishment tokens". thanks, --larry -----Original Message----- From: Martin Rex [mailto:Martin.Rex@sap.com] Sent: Wednesday, September 12, 2007 9:12 AM To: Larry Zhu Cc: simon@josefsson.org; tls@lists.ietf.org Subject: Re: [TLS] Review of draft-santesson-tls-gssapi-03 Larry Zhu wrote: > > > 5) Does the wire protocol differentiate between GSS_S_CONTINUE_NEEDED > > and GSS_S_COMPLETE? I'm thinking if the initial GSS_Init_sec_context > > call returns GSS_S_COMPLETE. The server will call > > GSS_Accept_sec_context which shouldn't return any data. The server > > sends back a 0b string. How can the client differentiate this from when > > GSS_Accept_sec_context returned GSS_S_CONTINUE_NEEDED? Perhaps the > > answer is that the client simply disconnect in this situation, but maybe > > that has to be noted. > > A note is added as follows: > > As implied by GSS-API, a GSS-API token SHOULD NOT be received after > the context is established (GSS_S_COMPLETE is returned), the receiver > MUST tear down the connection in this case. Only nitpicking: In the GSS-API original design, it is possible to receive a context-level token after having seen GSS_S_COMPLETE from the local context establishment function. The obvious and non-controversial case has been deprecated (the context deletion token). The specified behaviour was too pass this token to gss_process_context_token(). Whether or not an peer is allowed to create an context-level error token (not a delete token) that the peer does not expect is fairly unclear, however. Implementations of the Kerberos 5 gssapi mechanisms send such error tokens (containing a KRB_ERROR message) in some situations. I don't know whether these implementations refrain from sending the error token if the peer does not expect it (e.g. when the client does not request mutual authentication and uses an incorrect target name on a Microsoft Windows platform). I don't know what other GSS-API mechanisms (e.g. based on SPKM) have been doing in this area. The one thing that is clear from the GSS-API spec is that an application caller MUST NOT call a context establishment call (init_sec_context, accept_sec_context) on a context for which a previous call to the context establishment functions returned GSS_S_COMPLETE. If at all, such a token must be consumed through gss_process_context_token(). and in the two scenarios described in the GSS-API standard, the context deletion token and the context error token, this will result in the security context to become invalid/unusable... -Martin _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Review of draft-santesson-tls-gssapi-03 Simon Josefsson
- RE: [TLS] Review of draft-santesson-tls-gssapi-03 Larry Zhu
- RE: [TLS] Review of draft-santesson-tls-gssapi-03 Larry Zhu
- [TLS] Re: Review of draft-santesson-tls-gssapi-03 Simon Josefsson
- Re: [TLS] Review of draft-santesson-tls-gssapi-03 Martin Rex
- Re: [TLS] Re: Review of draft-santesson-tls-gssapā¦ Martin Rex
- [TLS] Re: Review of draft-santesson-tls-gssapi-03 Simon Josefsson
- RE: [TLS] Review of draft-santesson-tls-gssapi-03 Larry Zhu
- [TLS] RE: Review of draft-santesson-tls-gssapi-03 Larry Zhu
- [TLS] Re: Review of draft-santesson-tls-gssapi-03 Simon Josefsson
- [TLS] RE: Review of draft-santesson-tls-gssapi-03 Larry Zhu