IETF Logo Mail Archive

Re: [TLS] the use cases for GSS-based TLS and the plea for

Martin Rex <Martin.Rex@sap.com> Fri, 20 July 2007 17:43 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBwVQ-0002gx-M3; Fri, 20 Jul 2007 13:43:08 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IBwVP-0002fK-CX for tls@ietf.org; Fri, 20 Jul 2007 13:43:07 -0400
Received: from smtpde03.sap-ag.de ([155.56.68.140]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IBwVO-0008Ab-RI for tls@ietf.org; Fri, 20 Jul 2007 13:43:07 -0400
Received: from sap-ag.de (smtpde03) by smtpde03.sap-ag.de (out) with ESMTP id TAA22723; Fri, 20 Jul 2007 19:40:34 +0200 (MESZ)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200707201740.l6KHeYgH008101@fs4113.wdf.sap.corp>
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for
To: Nicolas.Williams@sun.com
Date: Fri, 20 Jul 2007 19:40:34 +0200
In-Reply-To: <20070720171837.GI26603@Sun.COM> from "Nicolas Williams" at Jul 20, 7 12:18:38 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Cc: Martin.Rex@sap.com, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Nicolas Williams wrote:
> 
> > *I* want to see a requirement for a server credentials in order
> > to put pressure on the interoperability aspect.  Interoperability
> > is important, and the previous specs used a certificate-based
> > credential for this purpose.  We all know pretty well that
> > popular gssapi mechanism like Kerberos5 have a serious
> > inter-organisation interoperability problem, and that is
> > unlikely to go away anytime soon.  So to provide interoperability
> > from the beginning we ought to stick to the one authentication
> > scheme that currently works best cross-organization.
> 
> So why bother with this doc then?  Why not just say: "if you want to use
> TLS then deploy a PKI?"  (And to the question of where to store user
> creds, one answer that comes to mind would be kx509, another would be
> SACRED.)

What I meant (and forgot to add) was "certificate-based credential
(self-signed when no PKI is used) as a mandatory to implement
feature for interoperability".

If support of cert-based credentials is a mere MAY, then I am sure
there will be servers/services where installing or using a PKI
credential is impossible/defective/unusable, and you cannot complain
to the vendor because not-supporting it is fully compliant with the spec.

Everyone will be happy when Kerberos can be used cross-organization
one day.  But until that day, I want to make sure that the customer
has the working alternative to use PKI when there is a need for it.


-Martin

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.29.0 | Report a Bug | By Email | System Status