[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AD Review for draft-ietf-sasl-gssapi-xx.txt

To: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>
Subject: Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
From: Simon Josefsson <jas@xxxxxxxxxxx>
Date: Tue, 05 Sep 2006 13:13:39 +0200
Cc: ietf-sasl@xxxxxxx, Sam Hartman <hartmans-ietf@xxxxxxx>
In-reply-to: <44EC6C24.7040300@xxxxxxxxx> (Alexey Melnikov's message of "Wed\, 23 Aug 2006 15\:54\:28 +0100")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <tslac6sm3v5.fsf@xxxxxxxxxx> <44CF1B96.5010404@xxxxxxxxx> <44EC6C24.7040300@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)

Alexey Melnikov <alexey.melnikov@xxxxxxxxx> writes:

> After the followup conversation with Sam he convinced me that this is
> the right thing.
>
> OLD text:
>   If the client will be requesting a security
>   layer, it MUST also supply to the GSS_Init_sec_context a
>   mutual_req_flag of TRUE, a sequence_req_flag of TRUE, and an
>   integ_req_flag of TRUE.  If the client will be requesting a security
>   layer providing confidentiality protection, it MUST also supply to
>   the GSS_Init_sec_context a conf_req_flag of TRUE.
>
> NEW text:
>
>  When calling the GSS_Init_sec_context the client MUST
>  pass the integ_req_flag of TRUE. If the client will be requesting a
> security
>  layer, it MUST also supply to the GSS_Init_sec_context a
>  mutual_req_flag of TRUE, and a sequence_req_flag of TRUE.
>  If the client will be requesting a security
>  layer providing confidentiality protection, it MUST also supply to the
>  GSS_Init_sec_context a conf_req_flag of TRUE.

The same text is found in the GS2 document as well.  I have made the
same change in it, but I also added:

   The client MUST verify that the requested flags become enabled in
   the context.

I suggest that the same, or similar, text is added to GS1.

Without that text, it seems as if the mechanism could simply ignore
them, and (for the C bindings) that the RET_FLAGS variable indicate
that they were never negotiated.  That seems to be a fatal problem to
me.  Or am I missing something?

/Simon

Follow-Ups:
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Alexey Melnikov

References:
- AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Sam Hartman
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Alexey Melnikov
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Alexey Melnikov

Prev by Date: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
Next by Date: Re: Text (Re: Proposed updates for domain-based drafts)
Previous by thread: Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
Next by thread: Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
Index(es):
- Date
- Thread