[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Holding gs2

To: Sam Hartman <hartmans-ietf@xxxxxxx>
Subject: Re: Holding gs2
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Sat, 19 Jan 2008 15:28:13 +0100
Cc: ietf-sasl@xxxxxxx
In-reply-to: <tslzlv55mon.fsf@xxxxxxx> (Sam Hartman's message of "Wed, 16 Jan 2008 19:18:48 -0500")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <tslzlv55mon.fsf@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Sam Hartman <hartmans-ietf@xxxxxxx> writes:

> I have a question for the SASL working group.  With the exception of
> the question I brought up about optimal round trips, GS2 seems ready
> to last call.
>
>
> However I'd like to ask the WG to consider whether it really wants to send GS2 on its way now.
>
> I think it may be better to hold GS2 until we get experience with a
> SASL+GSS mechanism.  I'd hate for that effort to fail because we are
> unable to make some small change in GS2.
>
> If the WG believes that sending GS2 on its way now is the best thing
> to do I (or my successor) can send it to ietf last call after we
> finish discussion on my comments.  I just think it would be better to
> hold that document until we get a mechanism that is both a GSS and
> SASL mechanism or we conclude that doesn't work for us.

I fear this would delay GS2 implementations for Kerberos V5, which would
give us useful feedback on other aspects of the document.

How about a compromise: publish GS2 soon but specify that it is ONLY to
be used with Kerberos V5, i.e., the GS2-QLJHGJLWNPLMQRNK mechanism.
This will lead to implementation experience for this particular use of
GS2, while making it possible to make changes that are relevant for
non-Kerberos mechanisms, when such experience has established itself.

The GS2 document could later be updated with the fixes needed for
non-Kerberos V5 mechanisms, and say that a bunch of other SASL
mechanisms names are now permitted.

I think how GS2 will work with Kerberos V5 is well understood, since it
has been the only practical example to think about when we designed GS2.
So if there mistakes relevant to Kerberos V5 in GS2, I don't believe we
can hope to find them without implementation feedback at this stage.

The only problem would be if we need to change something in GS2 that
would affect how Kerberos V5 exchanges behave.  That would be
interesting.  If that happens, as a worst scenario, it is always
possible to call the revised protocol GS3 and have it say that if you
use Kerberos V5, you need to use GS2-* instead.  Unless there are
security issues in GS2, then we would need to revise it anyway, in
possible backwards incompatible ways.

What do people think?

/Simon

Follow-Ups:
- Re: Holding gs2
  - From: Sam Hartman

References:
- Holding gs2
  - From: Sam Hartman

Prev by Date: Holding gs2
Next by Date: Re: IETF70 SASL summary
Previous by thread: Holding gs2
Next by thread: Re: Holding gs2
Index(es):
- Date
- Thread