[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gs2 and qop

To: Jeffrey Hutzelman <jhutz@xxxxxxx>
Subject: Re: gs2 and qop
From: Simon Josefsson <jas@xxxxxxxxxxx>
Date: Fri, 08 Sep 2006 11:27:06 +0200
Cc: Nicolas Williams <Nicolas.Williams@xxxxxxx>, Sam Hartman <hartmans-ietf@xxxxxxx>, Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <F23EE75C85D0E450064DE0E6@xxxxxxxxxxxxxxxxxxxxx> (Jeffrey Hutzelman's message of "Thu\, 07 Sep 2006 13\:23\:22 -0400")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <87zmde5zx8.fsf@xxxxxxxxxxxxxxxxxxx> <44FF1585.5060607@xxxxxxxxx> <87k64fubq6.fsf@xxxxxxxxxxxxxxxxxxx> <tslodtrx0qn.fsf@xxxxxxxxxx> <87slj3sro7.fsf@xxxxxxxxxxxxxxxxxxx> <tsl8xkvwydu.fsf_-_@xxxxxxxxxx> <877j0fsq4u.fsf@xxxxxxxxxxxxxxxxxxx> <tsl4pvjwwws.fsf@xxxxxxxxxx> <87u03jr8fi.fsf@xxxxxxxxxxxxxxxxxxx> <tslejunvexm.fsf@xxxxxxxxxx> <20060907171255.GG317@xxxxxxxxxxxxxxxxxxxxx> <F23EE75C85D0E450064DE0E6@xxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)

Jeffrey Hutzelman <jhutz@xxxxxxx> writes:

>>> My opinion is yes, but that's an individual, not as an AD.
>
>> I take no position on whether GS2 should support GSS-API mechanisms that
>> cannot provide integrity protection.  Though I can probably be convinced
>> that it should.
>
> I believe that it should.  We have a tradition in SASL of supporting
> "authentication-only" mechanisms, some of which are widely deployed in
> configurations where integrity protection and confidentiality are
> provided at another layer.

Remember that this tradition have stopped, and appear to be actively
discouraged.

CRAM-MD5 is an example of such a mechanism.  CRAM-MD5 is not permitted
to enter the standards track, because (according to Sam) it doesn't
support integrity layers or channel bindings.  Any authentication-only
GS2 mechanisms will have the same problem.

I don't understand why an authentication-only GS2 mechanism is any
better than a "pure" SASL authentication-only mechanism.

A simple question that may illustrate the situation: Will there ever
by any more authentication-only SASL mechanisms on the standards
track?

If the answer is no, I'd argue that they shouldn't be permitted to be
specified through GS2 either.

Sam said yes to authentication-only GS2 mechanisms as individual,
perhaps we should solicit his opinion as AD.  I wouldn't want an IESG
member to say no to GS2 because it enables authentication-only
mechanisms on the Internet.

One consequence of support for authentication-only GS2 mechanisms: by
defining a CRAM-MD5 GSS-API mechanism, that would allow CRAM-MD5 to
continue to be used as a Standards Track protocol.  That seems counter
to the goal of refusing CRAM-MD5 to enter the standards track.

/Simon

Follow-Ups:
- Re: gs2 and qop
  - From: Sam Hartman

References:
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Simon Josefsson
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Alexey Melnikov
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Simon Josefsson
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Sam Hartman
- Re: AD Review for draft-ietf-sasl-gssapi-xx.txt
  - From: Simon Josefsson
- gs2 and qop
  - From: Sam Hartman
- Re: gs2 and qop
  - From: Simon Josefsson
- Re: gs2 and qop
  - From: Sam Hartman
- Re: gs2 and qop
  - From: Simon Josefsson
- Re: gs2 and qop
  - From: Sam Hartman
- Re: gs2 and qop
  - From: Nicolas Williams
- Re: gs2 and qop
  - From: Jeffrey Hutzelman

Prev by Date: Re: gs2 and qop
Next by Date: Re: gs2 and qop
Previous by thread: Re: gs2 and qop
Next by thread: Re: gs2 and qop
Index(es):
- Date
- Thread