[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gs2 and qop

To: Sam Hartman <hartmans-ietf@xxxxxxx>
Subject: Re: gs2 and qop
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Thu, 7 Sep 2006 12:12:55 -0500
Cc: Simon Josefsson <jas@xxxxxxxxxxx>, Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <tslejunvexm.fsf@xxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Mail-followup-to: Sam Hartman <hartmans-ietf@xxxxxxx>, Simon Josefsson <jas@xxxxxxxxxxx>, Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, ietf-sasl@xxxxxxx
References: <87zmde5zx8.fsf@xxxxxxxxxxxxxxxxxxx> <44FF1585.5060607@xxxxxxxxx> <87k64fubq6.fsf@xxxxxxxxxxxxxxxxxxx> <tslodtrx0qn.fsf@xxxxxxxxxx> <87slj3sro7.fsf@xxxxxxxxxxxxxxxxxxx> <tsl8xkvwydu.fsf_-_@xxxxxxxxxx> <877j0fsq4u.fsf@xxxxxxxxxxxxxxxxxxx> <tsl4pvjwwws.fsf@xxxxxxxxxx> <87u03jr8fi.fsf@xxxxxxxxxxxxxxxxxxx> <tslejunvexm.fsf@xxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Thu, Sep 07, 2006 at 12:07:01PM -0400, Sam Hartman wrote:
> 
> >>>>> "Simon" == Simon Josefsson <jas@xxxxxxxxxxx> writes:
> 
>     Simon> Is the consensus that GS2 should support GSS-API mechanisms
>     Simon> that doesn't offer integrity protection?
> 
> My opinion is yes, but that's an individual, not as an AD.

Jeff Hutzelman and I worked out the implications of this off-line just
now.

If we allow use of GSS-API mechanisms that don't offer integrity
protection then:

a) GS2 has to be modified so the client sends the authzid without
   wrapping;

b) SASL applications must be able to inquire which GS2 mechanisms offer
   integrity protection so they can avoid negotiating a mechanism that
   cannot provide what they want;

c) GSS mechs that can provide integ prot but fail to provide it for a
   given security context are a problem -- GS2 should fail
   authentication for such mechanisms when the security context fails to
   provide integrity protection and either the application wanted a
   security layer or wanted channel binding.

I take no position on whether GS2 should support GSS-API mechanisms that
cannot provide integrity protection.  Though I can probably be convinced
that it should.

Nico
--

Follow-Ups:
- Non-integrity GSSAPI mechanisms in GS2
  - From: Simon Josefsson
- Re: gs2 and qop
  - From: Alexey Melnikov
- Re: gs2 and qop
  - From: Jeffrey Hutzelman

References:
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Simon Josefsson
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Alexey Melnikov
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Simon Josefsson
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Sam Hartman
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Simon Josefsson
- gs2 and qop
  - From: Sam Hartman
- Re: gs2 and qop
  - From: Simon Josefsson
- Re: gs2 and qop
  - From: Sam Hartman
- Re: gs2 and qop
  - From: Simon Josefsson
- Re: gs2 and qop
  - From: Sam Hartman

Prev by Date: Re: gs2 and qop
Next by Date: Re: gs2 and qop
Previous by thread: Re: gs2 and qop
Next by thread: Re: gs2 and qop
Index(es):
- Date
- Thread