[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Holding gs2

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: Holding gs2
From: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>
Date: Sun, 27 Jan 2008 18:27:47 +0000
Cc: Sam Hartman <hartmans-ietf@xxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <87myqxnc8b.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <tslzlv55mon.fsf@xxxxxxx> <87bq7hx536.fsf@xxxxxxxxxxxxxxxxxxx> <tslk5m2ep8f.fsf@xxxxxxx> <87myqxnc8b.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915


Simon Josefsson wrote:

Sam Hartman <hartmans-ietf@xxxxxxx> writes:

"Simon" == Simon Josefsson <simon@xxxxxxxxxxxxx> writes:

   Simon> Sam Hartman <hartmans-ietf@xxxxxxx> writes:
   >> I have a question for the SASL working group.  With the
   >> exception of the question I brought up about optimal round
   Simon> I fear this would delay GS2 implementations for Kerberos
   Simon> V5, which would give us useful feedback on other aspects of
   Simon> the document.

I have to admit that I share some of the concerns raised by Steve.

I think it would be nice to go through SCRAM-as-GSS-API-mechanismexercise before publishing GS2. However I do understand that delayingGS2 because of SCRAM might not be fair for people who want to tryimplement GS2.

Are there any implementers of SASL or Kerberos stacks who plan to delay?

I have started to implement GS2 twice to test the Kerberos V5 reduced
round-trip mode.  The protocol kept changing, even after passing WGLC,
so I postponed those efforts pending a stable draft.  I recently planned
to resume work on GS2 during February, but this discussion suggests to
me that I need to wait longer.  Publishing GS2, with the limited
applicability for Kerberos would move my effort forward.

I'd be interested in understanding how other implementers think about
this too.

I [still] plan to implement GS2 once it is stable. But I am unlikely tobe quicker than you in doing that, due to other commitments.

I don't see why having three mechanisms to do the same is problematic.
Ok, it does lead to complexity, but supposedly the complexity is
_required_ in order to solve some identified problem.  GS2 solves the
identified problem of unnecessary many round-trips compared to Kerberos
V5 via GSS-API.  If we don't consider that a valid problem, we should
say that GS2 should not be used with Kerberos V5 at all,

I consider reduction of round-trips as the main goal of GS2.

and instead say
that users should use GSS-API for this.  That approach would take away
all the complexity for Kerberos in GS2.  If we go this route, I would
support delaying publication of GS2 until we have specifications of the
GSS-API mechanisms that were designed with GS2 in mind.

How about publishing GS2 as Experimental RFC and move it (or replace it,if errors are found) to Standard Track once we have some implementationexperience?

If I recall correctly, the use-case of hybrid SASL and GSS-API
mechanisms was established after we decided to do GS2.

Follow-Ups:
- Re: Holding gs2
  - From: Nicolas Williams

References:
- Holding gs2
  - From: Sam Hartman
- Re: Holding gs2
  - From: Simon Josefsson
- Re: Holding gs2
  - From: Sam Hartman
- Re: Holding gs2
  - From: Simon Josefsson

Prev by Date: Re: What am I waiting on for gs2?
Next by Date: Re: Holding gs2
Previous by thread: Re: Holding gs2
Next by thread: Re: Holding gs2
Index(es):
- Date
- Thread