Re: AD Review for draft-ietf-sasl-gssapi-xx.txt

[Alexey Melnikov <alexey.melnikov@xxxxxxxxx>]

Alexey Melnikov wrote:

> >   5) If the underlying cryptographic technology used by a mechanism
> >         supports data integrity, then the mechanism specification MUST
> >         integrity protect the transmission of an authorization identity
> >         and the negotiation of the security layer.
> >
> >                     I think the resolution here is to always require 
> > the integrity flag be set.
>
> You mean passing integ_req_flag=true to GSS_Init_sec_context?
>
> This would be fine with me, however this is not the existing practice 
> (e.g. Cyrus SASL only passes this flag when it also negotiates the 
> SASL security layer with integrity protection).

After the followup conversation with Sam he convinced me that this is 
the right thing.

OLD text:
  If the client will be requesting a security
  layer, it MUST also supply to the GSS_Init_sec_context a
  mutual_req_flag of TRUE, a sequence_req_flag of TRUE, and an
  integ_req_flag of TRUE.  If the client will be requesting a security
  layer providing confidentiality protection, it MUST also supply to
  the GSS_Init_sec_context a conf_req_flag of TRUE.

NEW text:

 When calling the GSS_Init_sec_context the client MUST
 pass the integ_req_flag of TRUE. If the client will be requesting a 
security
 layer, it MUST also supply to the GSS_Init_sec_context a
 mutual_req_flag of TRUE, and a sequence_req_flag of TRUE.
 If the client will be requesting a security
 layer providing confidentiality protection, it MUST also supply to the
 GSS_Init_sec_context a conf_req_flag of TRUE.