[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-josefsson-sasl-external-channel-03

To: Nicolas Williams <Nicolas.Williams@xxxxxxx>
Subject: Re: draft-josefsson-sasl-external-channel-03
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Wed, 22 Apr 2009 12:24:00 +0200
Cc: ietf-sasl@xxxxxxx
In-reply-to: <20090421201705.GX1500@xxxxxxx> (Nicolas Williams's message of "Tue, 21 Apr 2009 15:17:06 -0500")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <20090418103001.AD7E03A69C6@xxxxxxxxxxxxxx> <87hc0mtf5y.fsf@xxxxxxxxxxxxxxxxxxx> <20090421201705.GX1500@xxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.90 (gnu/linux)

Nicolas Williams <Nicolas.Williams@xxxxxxx> writes:

> On Sat, Apr 18, 2009 at 12:44:09PM +0200, Simon Josefsson wrote:
>> Complete diff:
>> http://josefsson.org/external-channel/draft-josefsson-sasl-external-channel-03-from-2.diff.html
>> 
>> > http://www.ietf.org/internet-drafts/draft-josefsson-sasl-external-channel-03.txt
>
> A few comments:
>
>  - I doubt today there's ever any cases where there could confusion as
>    to what channel "EXTERNAL" refers to.  The confusion and the need for
>    a priori agreement is theoretical -- if so then the text should
>    probably reflect that, otherwise examples should be given.

I don't follow -- RFC 4422 implies that the selection of what EXTERNAL
refers to needs to be arranged out of band.  The point of this document
is to move the negotiation in band.  Since RFC 4422 rules the
negotiation out of scope, there is by definition always confusion which
channel is intended, and even on successful authentication there is in
practice no in-band guarantees that both sides intended the same
channel.

Maybe Kurt could describe his use case?

>  - When "EXTERNAL" is used one would think that the highest-layer,
>    innermost end-to-end channel is the one it ought to refer to.  It
>    strikes me as a good idea to state that.

This is mentioned in section 3 for EXTERNAL-TLS.  I believe this belongs
in each EXTERNAL-FOO mechanism rather than in the generic framework, but
I agree that this needs to be stated.  I have added this section:

  <t>The external security channel to use is implied by the SASL
    mechanism name.  The channel has to be uniquely identifiable at
    both cliend and server side.  This means that mechanisms
    registered in this family MUST detail which channel should be
    chosen if there are layered channels of the same type.</t>

>  - An informative reference to TLS (RFC5246) seems necessary.  (Or
>  maybe even normative.)

I've made it normative.  (There was an informative reference.)

>  - The string "a002" in the example given should probably be explained,
>    or even removed (it seems superfluous, besides, 

It can't be removed, or the example wouldn't be valid ACAP, if I
understand correctly.  The same is in RFC 4422.  I don't think we need
to explain the ACAP protocol.  But maybe I'm missing something...

>  application protocol bindings of SASL are not needed in order to have
>  an example, no?).

...because I don't understand what you mean here, explain?

/Simon

Follow-Ups:
- Re: draft-josefsson-sasl-external-channel-03
  - From: Kurt Zeilenga
- Re: draft-josefsson-sasl-external-channel-03
  - From: Nicolas Williams

References:
- draft-josefsson-sasl-external-channel-03
  - From: Simon Josefsson
- Re: draft-josefsson-sasl-external-channel-03
  - From: Nicolas Williams

Prev by Date: Re: Updated SASL And Channel Binding document (-03)
Next by Date: Re: slow authentication
Previous by thread: Re: draft-josefsson-sasl-external-channel-03
Next by thread: Re: draft-josefsson-sasl-external-channel-03
Index(es):
- Date
- Thread