Re: WG Last Call: draft-ietf-sasl-gs2-02.txt

[Alexey Melnikov <alexey.melnikov@xxxxxxxxx>]

Simon Josefsson wrote:

> Alexey Melnikov <alexey.melnikov@xxxxxxxxx> writes:
>  
>
> > > > And the text quoted above is followed by additional text which is not
> > > > currently in GS2:
> > > >
> > > > Upon successful establishment of the security context and if the
> > > > server used GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL to create acceptor
> > > > credential handle, the server SHOULD also check using the
> > > > GSS_Inquire_context that the target_name used by the client matches:
> > > >
> > > > -  the GSS_C_NT_HOSTBASED_SERVICE "service@hostname" name syntax,
> > > >    where "service" is the service name specified in the application
> > > >    protocol's profile.
> > > >
> > > > When GSS_Accept_sec_context returns GSS_S_COMPLETE, the server
> > > > examines the context to ensure that it provides a level of protection
> > > > permitted by the server's security policy.
> > > >   
> > > >        
> > > Thanks, I added this, but changed the SHOULD into MUST, because
> > > otherwise it seems we open up to a mitm.
> > >      
> > No, the SHOULD is here because the server could have used a specific
> > principal during GSS_Import_Name. In such case there would be no need to
> > do the check.
> >    
> The text applies only when GSS_C_NO_NAME and/or GSS_C_NO_CREDENTIAL
> was used, and in that case I think the test is necessary.  Or Is there
> another reason to not do the test?
>  
A server implementation can have some external knowledge about the 
principal that will be selected when GSS_C_NO_NAME and/or 
GSS_C_NO_CREDENTIAL is used. I guess this can be interpreted as 
compliance with the SHOULD?