[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What am I waiting on for gs2?

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: What am I waiting on for gs2?
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Mon, 28 Jan 2008 17:29:22 -0600
Cc: Sam Hartman <hartmans-ietf@xxxxxxx>, ietf-sasl@xxxxxxx
In-reply-to: <87hcidia0t.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Mail-followup-to: Simon Josefsson <simon@xxxxxxxxxxxxx>, Sam Hartman <hartmans-ietf@xxxxxxx>, ietf-sasl@xxxxxxx
References: <tslir3njs54.fsf@xxxxxxx> <87tzn6lcw9.fsf@xxxxxxxxxxxxxxxxxxx> <tslprxufnqk.fsf@xxxxxxx> <tslk5o04vw3.fsf@xxxxxxx> <87bq8ltq45.fsf@xxxxxxxxxxxxxxxxxxx> <tsld4t1iero.fsf@xxxxxxx> <87hcidia0t.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

I support this change as well, modulo the what-do-we-do-about-Sam's-
comment thread.

We may still decide to make more changes to gs2.

What would gs2 with an option to support channel-binding-but-no-sec-
layers mechanisms?

I think the packet format would change from this:

                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             length                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               /
      /                      GSS_Init_sec_context or                  /
      /                   GSS_Accept_sec_context token,               /
      /                     of given length                           /
      /                                           --------------------/
      /                     ---------------------/                    /
      /--------------------/                                          /
      /                              Optional GSS_Wrap token          /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

to this for the initial one (and, if we want to simplify the spec, for
all of them):

                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             length                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |<gss-channel-binding-in-use>[<authzid>]                        |
      /                                           --------------------/
      /                     ---------------------/                    /
      /--------------------/                                          /
      |                                                               /
      /                      GSS_Init_sec_context or                  /
      /                   GSS_Accept_sec_context token,               /
      /                     of given length                           /
      /                                           --------------------/
      /                     ---------------------/                    /
      /--------------------/                                          /
      /                              Optional GSS_Wrap token          /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Where, if gss-channel-binding-in-use == TRUE then <authzid> is present
and the optional GSS_Wrap token is absent on this and all subsequent
context token exchange packets.  If gss-channel-binding-in-use == FALSE
then everything is just as it used to be.

If gss-channel-binding-in-use == TRUE then the client and the server
MUST both construct the GSS-API channel bindings from the actual channel
bindings passed in by the application and the authzid as well.  Channel
binding failure is critical in the GSS-API, so if channel binding fails
then SASL authentication fails.

gss-channel-binding-in-use can be a single octet, and authzid can be
NUL-terminated UTF-8.  The packet marshalling and unmarshalling is easy
then.  And the channel bindings can be the NUL-terminated authzid in
UTF-8 with the actual channel bindings appended.

Nico
--

References:
- What am I waiting on for gs2?
  - From: Sam Hartman
- Re: What am I waiting on for gs2?
  - From: Simon Josefsson
- Re: What am I waiting on for gs2?
  - From: Sam Hartman
- Re: What am I waiting on for gs2?
  - From: Sam Hartman
- Re: What am I waiting on for gs2?
  - From: Simon Josefsson
- Re: What am I waiting on for gs2?
  - From: Sam Hartman
- Re: What am I waiting on for gs2?
  - From: Simon Josefsson

Prev by Date: Re: What am I waiting on for gs2?
Previous by thread: Re: What am I waiting on for gs2?
Next by thread: Re: What am I waiting on for gs2?
Index(es):
- Date
- Thread