[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: proposed charter revision
On Thursday, August 09, 2007 10:49:26 AM +0200 Simon Josefsson
I think having a dual GSSAPI/SASL password-based mechanism is a good
idea. It should be possible to implement the protocol (easily!) as a
SASL mechanism, without having to understand or support GSS-API, and it
should be possible to implement the protocol as a GSS-API mechanism.
The question is, do we base the SASL mechanism directly on the underlying
protocol or on the GSS-API mechanism. The main criteria I heard in Chicago
was that SASL implementors be able to _implement_ the SASL mechanism
without having to build or depend on a GSS-API implementation. I believe
it is possible to meet that requirement while still building the SASL
mechanism on GS2 and the GSS-API mechanism. I also think that doing so
enhances interoperability, because it means that a SASL implementation
which implements this mechanism directly will interoperate with one which
implements GS2 and has a GSS-API implementation with this mechanism.
Put more simply, I think it is desirable that SASL-FOO and SASL-GS2-FOO
interoperate, and I believe this requires that they have the same mechanism
name and the same bits on the wire, so that both implementation paths lead
to the same protocol.