[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Holding gs2

To: Sam Hartman <hartmans-ietf@xxxxxxx>
Subject: Re: Holding gs2
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Tue, 22 Jan 2008 15:53:08 +0100
Cc: ietf-sasl@xxxxxxx
In-reply-to: <tslk5m2ep8f.fsf@xxxxxxx> (Sam Hartman's message of "Mon, 21 Jan 2008 18:24:48 -0500")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <tslzlv55mon.fsf@xxxxxxx> <87bq7hx536.fsf@xxxxxxxxxxxxxxxxxxx> <tslk5m2ep8f.fsf@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Sam Hartman <hartmans-ietf@xxxxxxx> writes:

>>>>>> "Simon" == Simon Josefsson <simon@xxxxxxxxxxxxx> writes:
>
>     Simon> Sam Hartman <hartmans-ietf@xxxxxxx> writes:
>     >> I have a question for the SASL working group.  With the
>     >> exception of the question I brought up about optimal round
>     Simon> I fear this would delay GS2 implementations for Kerberos
>     Simon> V5, which would give us useful feedback on other aspects of
>     Simon> the document.
>
> Are there any implementers of SASL or Kerberos stacks who plan to delay?

I have started to implement GS2 twice to test the Kerberos V5 reduced
round-trip mode.  The protocol kept changing, even after passing WGLC,
so I postponed those efforts pending a stable draft.  I recently planned
to resume work on GS2 during February, but this discussion suggests to
me that I need to wait longer.  Publishing GS2, with the limited
applicability for Kerberos would move my effort forward.

I'd be interested in understanding how other implementers think about
this too.

I don't see why having three mechanisms to do the same is problematic.
Ok, it does lead to complexity, but supposedly the complexity is
_required_ in order to solve some identified problem.  GS2 solves the
identified problem of unnecessary many round-trips compared to Kerberos
V5 via GSS-API.  If we don't consider that a valid problem, we should
say that GS2 should not be used with Kerberos V5 at all, and instead say
that users should use GSS-API for this.  That approach would take away
all the complexity for Kerberos in GS2.  If we go this route, I would
support delaying publication of GS2 until we have specifications of the
GSS-API mechanisms that were designed with GS2 in mind.

If I recall correctly, the use-case of hybrid SASL and GSS-API
mechanisms was established after we decided to do GS2.

/Simon

Follow-Ups:
- Re: Holding gs2
  - From: Alexey Melnikov

References:
- Holding gs2
  - From: Sam Hartman
- Re: Holding gs2
  - From: Simon Josefsson
- Re: Holding gs2
  - From: Sam Hartman

Prev by Date: Re: Holding gs2
Next by Date: Re: Holding gs2
Previous by thread: Re: Holding gs2
Next by thread: Re: Holding gs2
Index(es):
- Date
- Thread