[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: draft-ietf-sasl-gs2-02.txt

To: Simon Josefsson <jas@xxxxxxxxxxx>
Subject: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
From: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>
Date: Tue, 03 Oct 2006 15:09:11 +0100
Cc: ietf-sasl@xxxxxxx
In-reply-to: <87fye5n5o6.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <7.0.1.0.0.20060831104340.03a589a0@xxxxxxxxxxxx> <450B3B77.2010406@xxxxxxxxx> <87fye5n5o6.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915


Simon Josefsson wrote:

4.2.  Context Token

[...]

 The client calls GSS_Init_sec_context, passing in
 input_context_handle of 0 (initially), mech_type of the GSSAPI
 mechanism for which this SASL mechanism is registered, the
 chan_binding is set to NULL, and targ_name equal to output_name from
 GSS_Import_Name called with input_name_type of
 GSS_C_NT_HOSTBASED_SERVICE and input_name_string of

The GS1 has the note marker (*) after the "GSS_C_NT_HOSTBASED_SERVICE",
the note reads:

 (*) - Clients MAY use name types other than
 GSS_C_NT_HOSTBASED_SERVICE to import servers' acceptor names, but
 only when they have a priori knowledge that the servers support
 alternate name types.  Otherwise clients MUST use
 GSS_C_NT_HOSTBASED_SERVICE for importing acceptor names.

This is to address recent Nico's proposal to allow for domain based names.

I've added this.

Is something similar needed for the server side too?


I thinks something like (from GS1) is sufficient:

  (**) - Use of server's principal names having
  GSS_C_NT_HOSTBASED_SERVICE name type and "service@hostname" format,
  where "service" is the service name specified in the protocol's
  profile, is RECOMMENDED.

So basically this allows for other name types.

[...]

 If the client will be requesting a security
 layer, it MUST also supply to the GSS_Init_sec_context a
 mutual_req_flag of TRUE, a sequence_req_flag of TRUE, and an
 integ_req_flag of TRUE.  If the client will be requesting a security
 layer providing confidentiality protection, it MUST also supply to
 the GSS_Init_sec_context a conf_req_flag of TRUE.

This text got replaced with the following in GS1:

 When calling the GSS_Init_sec_context the client
 MUST pass the integ_req_flag of TRUE.  If the client will be
 requesting a security layer, it MUST also supply to the
 GSS_Init_sec_context a mutual_req_flag of TRUE, and a
 sequence_req_flag of TRUE.  If the client will be requesting a
 security layer providing confidentiality protection, it MUST also

supply to the GSS_Init_sec_context a conf_req_flag of TRUE.

Thanks, I had already made that change.  I had also added:

     The client MUST
     verify that the requested flags become enabled in the
     context.

Because, if I understand correctly, setting the flags does not
necessarily mean that they will be set, so the client has to check
that they were indeed enabled.


That seems reasonable.

Follow-Ups:
- Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Simon Josefsson

References:
- WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Kurt D. Zeilenga
- Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Simon Josefsson

Prev by Date: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
Next by Date: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
Previous by thread: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
Next by thread: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
Index(es):
- Date
- Thread