[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Holding gs2

To: Jeffrey Hutzelman <jhutz@xxxxxxx>
Subject: Re: Holding gs2
From: Sam Hartman <hartmans-ietf@xxxxxxx>
Date: Tue, 22 Jan 2008 08:14:16 -0500
Cc: Nicolas Williams <Nicolas.Williams@xxxxxxx>, Simon Josefsson <simon@xxxxxxxxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <61ED870A8B45BAFFA96FEBEA@xxxxxxxxxxxxxxxxxxxxxx> (Jeffrey Hutzelman's message of "Mon, 21 Jan 2008 23:35:32 -0500")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <tslzlv55mon.fsf@xxxxxxx> <87bq7hx536.fsf@xxxxxxxxxxxxxxxxxxx> <tslk5m2ep8f.fsf@xxxxxxx> <20080122040031.GZ6591@xxxxxxx> <61ED870A8B45BAFFA96FEBEA@xxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz@xxxxxxx> writes:

    Jeffrey> The main drawback to this approach is that it means GS2
    Jeffrey> can be used only with GSS-API mechanisms for which such
    Jeffrey> an AS exists.  That's fine if the only mechanisms are
    Jeffrey> standards-track base mechanisms, but things start to get
    Jeffrey> hairy if we want to allow for the use of stackable
    Jeffrey> mechanisms or of privately-defined mechanisms.  Of
    Jeffrey> course, whoever defines a private mechanism could also
    Jeffrey> specify GS2's applicability to that mechanism, at least
    Jeffrey> for anyone for which it matters.
I consider this a very significant drawback.



    Jeffrey> All of that being said, it seems that maybe we're
    Jeffrey> worrying too much.  Last I knew we had an effort underway
    Jeffrey> which it was hoped would produce a non-Kerberos GS2
    Jeffrey> mechanism.  Whether that actually materializes or not, I
    Jeffrey> think we have basically worked out what it needs to look
    Jeffrey> like to work with GS2.  Do we believe that is not
    Jeffrey> sufficient to demonstrate that GS2 can successfully be


I am unconvinced we understand how to apply GS2 to mechanisms beyond
kerberos in a manner such that those mechanisms can easily be coded as
pure sasl mechanisms.  I'm concerned about unnecessary optional
exchanges and complicated control flow.

I suspect that Chris and others will not like the result if using gs2
complicates the potential control flows, adds variable round trips,
etc.


So, no I'm not convinced we know that gs2 can meet our needs.  Of
course with my leave, we have a month before GS2 could progress
anyway.  It would be really great if people could actually do the work
of specifying the mechanism for GS2 during that month.

Follow-Ups:
- Re: Holding gs2
  - From: Nicolas Williams

References:
- Holding gs2
  - From: Sam Hartman
- Re: Holding gs2
  - From: Simon Josefsson
- Re: Holding gs2
  - From: Sam Hartman
- Re: Holding gs2
  - From: Nicolas Williams
- Re: Holding gs2
  - From: Jeffrey Hutzelman

Prev by Date: Re: Holding gs2
Next by Date: Re: Holding gs2
Previous by thread: Re: Holding gs2
Next by thread: Re: Holding gs2
Index(es):
- Date
- Thread