[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: draft-ietf-sasl-gs2-02.txt

To: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>
Subject: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
From: Simon Josefsson <jas@xxxxxxxxxxx>
Date: Tue, 03 Oct 2006 17:06:39 +0200
Cc: ietf-sasl@xxxxxxx
In-reply-to: <45226F07.3050901@xxxxxxxxx> (Alexey Melnikov's message of "Tue\, 03 Oct 2006 15\:09\:11 +0100")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <7.0.1.0.0.20060831104340.03a589a0@xxxxxxxxxxxx> <450B3B77.2010406@xxxxxxxxx> <87fye5n5o6.fsf@xxxxxxxxxxxxxxxxxxx> <45226F07.3050901@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)

Alexey Melnikov <alexey.melnikov@xxxxxxxxx> writes:

> Simon Josefsson wrote:
>
>>>>4.2.  Context Token
>>>>
>>>[...]
>>>    
>>>>  The client calls GSS_Init_sec_context, passing in
>>>>  input_context_handle of 0 (initially), mech_type of the GSSAPI
>>>>  mechanism for which this SASL mechanism is registered, the
>>>>  chan_binding is set to NULL, and targ_name equal to output_name from
>>>>  GSS_Import_Name called with input_name_type of
>>>>  GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
>>>>
>>>The GS1 has the note marker (*) after the "GSS_C_NT_HOSTBASED_SERVICE",
>>>the note reads:
>>>
>>>  (*) - Clients MAY use name types other than
>>>  GSS_C_NT_HOSTBASED_SERVICE to import servers' acceptor names, but
>>>  only when they have a priori knowledge that the servers support
>>>  alternate name types.  Otherwise clients MUST use
>>>  GSS_C_NT_HOSTBASED_SERVICE for importing acceptor names.
>>>
>>>This is to address recent Nico's proposal to allow for domain based names.
>>>
>>I've added this.
>>
>>Is something similar needed for the server side too?
>
> I thinks something like (from GS1) is sufficient:
>
>   (**) - Use of server's principal names having
>   GSS_C_NT_HOSTBASED_SERVICE name type and "service@hostname" format,
>   where "service" is the service name specified in the protocol's
>   profile, is RECOMMENDED.
>
> So basically this allows for other name types.

OK.  I added the explanation for "hostname" and the reference to
GSS_Import_name, that were both lost, so the entire sentence now
reads:

      <t>(**) - Use of server's principal names having
	GSS_C_NT_HOSTBASED_SERVICE name type and "service@hostname"
	format, where "service" is the service name specified in the
	protocol's profile, and "hostname" is the fully qualified host
	name of the server, is RECOMMENDED.  The desired server name
	is generated by calling GSS_Import_name with input_name_type
	of GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
	"service@hostname".</t>

Perhaps GS1 should have a similar update, in AUTH48 or so.

/Simon

Follow-Ups:
- Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Alexey Melnikov

References:
- WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Kurt D. Zeilenga
- Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Alexey Melnikov
- Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Simon Josefsson
- Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
  - From: Alexey Melnikov

Prev by Date: Re: Obtaining credentials in GSSAPI/GS2 (was: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt)
Next by Date: Re: Obtaining credentials in GSSAPI/GS2
Previous by thread: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
Next by thread: Re: WG Last Call: draft-ietf-sasl-gs2-02.txt
Index(es):
- Date
- Thread