[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D Action:draft-ietf-sasl-gs2-14.txt

On Wed, Jul 08, 2009 at 01:11:57PM +0100, Alexey Melnikov wrote:
> Some quick comments.
> In Section 3.5:
> >   If the client negotiates mechanisms then clients MUST select the
> >   PLUS-variant if offered by the server.
> This make sense.
> >Otherwise, if the client does
> >   not negotiate mechanisms then it MUST use the non-PLUS variant.
> This doesn't make much sense. If the client remembers what the server 
> advertised previously, then it can just use the same mechanism.
> But even if the client never negotiate mechanisms (e.g. if the user 
> selected the mechanism in UI), then why should it be restricted to 
> non-PLUS variant?

I think that text had been intended to say that the non-PLUS variant
must be selected when the client has no idea what the server supports
and the client isn't using CB.  But it doesn't really matter.  I'd be
happy with removing this text.

> In Section 5.1:
> >   The application-data field MUST be set to the gs2-header concatenated
> >   with, when a gs2-cb-flag of "p" is used, the application's channel
> >   binding data (if any).
> I think "(if any)" should be removed, because for "p" the channel 
> binding data is always present. I assume that a channel binding data 
> can't be the empty string.