[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New GS2: pulling everything together

To: Simon Josefsson <simon@xxxxxxxxxxxxx>
Subject: Re: New GS2: pulling everything together
From: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Date: Tue, 17 Mar 2009 10:02:08 -0500
Cc: ietf-sasl@xxxxxxx
In-reply-to: <8763i88kni.fsf@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <20090316182502.GF9992@xxxxxxx> <8763i88kni.fsf@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Mutt/1.5.7i

On Tue, Mar 17, 2009 at 12:16:01PM +0100, Simon Josefsson wrote:
> Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:
> > We've had a lot of comments on the new GS2 design.  Time to pull
> > everything together again.
> 
> Good summary!

Thanks!

> I have one question/observation about GS2 for non-SCRAM mechanisms and
> header compression:
> 
> >     - The RFC2743 section 3.1 initial context token header compression
> >       flag would not be needed for a pure SASL SCRAM.  But it's only a
> >       constant for SCRAM, therefore it's not a problem.  I believe we
> >       have consensus on this.
> 
> If a server advertise a GS2 SASL mech, that doesn't have a "simple"
> name, GS2 clients (that use a GSS-API library) will need to iterate over
> all the GSS-API mechanisms supported by the GSS-API library, and compute
> the generated SASL mech name and compare that with the server mech list
> before it knows whether it supports an offered mechanism or not.  Is my
> understanding right?  It seems somewhat sub-optimal, but I don't see how
> we can avoid it.
> 
> To avoid this, it seems another GSS-API function such as
> GSS_Inquire_mech_for_SASLname that return a mech OID for a given SASL
> name, is needed.  Thoughts on whether this is worthwhile?

Sure.

BTW, the RFC2743 header compression constant could even be removed in
the case of SCRAM (since the CB flag will make it unabiguously clear
that the header compression flag had to have the sense that indicates
that the RFC2743 header should have been present).  I.e., the ABNF for
the GS2 header could be:

gs2-header = [ "F" ] ( "n" / "y" / "p" ) [ "a=" saslname ] ","

> >  - With regards to the two mechname + gs2-cb-flag approach to negotiable
> >    channel binding:
> ...
> >     - Kurt prefers this approach to doing the negotiation in the mech
> 
> I prefer it as well.  Sub-negotiation adds complexity.

I agree in general.  In this specific case I'm not sure your comment
about complexity applies, but I prefer it in this specific case as well.

> >     - Jeff and I believe this approach is simple enough.  We can't make
> >       CB negotiation in GS2 any simpler.  I believe Sam and Simon agree.
> 
> As far as I understand so far, I agree fully.

Thanks.

Nico
--

References:
- New GS2: pulling everything together
  - From: Nicolas Williams
- Re: New GS2: pulling everything together
  - From: Simon Josefsson

Prev by Date: Re: New GS2: pulling everything together
Previous by thread: Re: New GS2: pulling everything together
Index(es):
- Date
- Thread