On Thursday, August 09, 2007 10:49:26 AM +0200 Simon Josefsson <simon@xxxxxxxxxxxxx> wrote:
I think having a dual GSSAPI/SASL password-based mechanism is a good idea. It should be possible to implement the protocol (easily!) as a SASL mechanism, without having to understand or support GSS-API, and it should be possible to implement the protocol as a GSS-API mechanism.
The question is, do we base the SASL mechanism directly on the underlying protocol or on the GSS-API mechanism. The main criteria I heard in Chicago was that SASL implementors be able to _implement_ the SASL mechanism without having to build or depend on a GSS-API implementation. I believe it is possible to meet that requirement while still building the SASL mechanism on GS2 and the GSS-API mechanism. I also think that doing so enhances interoperability, because it means that a SASL implementation which implements this mechanism directly will interoperate with one which implements GS2 and has a GSS-API implementation with this mechanism.
Put more simply, I think it is desirable that SASL-FOO and SASL-GS2-FOO interoperate, and I believe this requires that they have the same mechanism name and the same bits on the wire, so that both implementation paths lead to the same protocol.
-- Jeff