[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] SPNEGO over TLS - proposed new work item

To: stefans@xxxxxxxxxxxxx (Stefan Santesson)
Subject: Re: [TLS] SPNEGO over TLS - proposed new work item
From: Martin Rex <martin.rex@xxxxxxx>
Date: Fri, 10 Nov 2006 20:40:19 +0100 (MET)
Cc: jaltman@xxxxxxxxxxxxxxxxxxxx, tls@xxxxxxxx
In-reply-to: <A15AC0FBACD3464E95961F7C0BCD1FF010B7E93F@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> from "Stefan Santesson" at Nov 10, 6 03:34:47 am
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex@xxxxxxx

Stefan Santesson wrote:
> 
> We had a design meeting today to conclude discussions about this proposal
> that has surfaced during the IETF week.
> 
> As such the proposal has changed in the way that SPNEGO has been removed
> from the proposal and replaced with  direct exchange of GSS-API tokens.
> The slides for the presentation tomorrow has been sent to Eric and should
> be up on the meeting materials page before the TLS meeting.
> 
> A first draft will be available for consideration short after this IETF
> and Jeff Altman has agreed to help as co-editor.

A thought that came to me during todays tls meeting was the following:

With exiting SSL/TLS (and -implementations), the authenticated peer
becomes part of the SSL session state in the SSL session cache.

When including an "external" authentication in the TLS handshake,
what happens with the information about the authenicated peer,
how is it "persistet", so that it will be transparently available
when that SSL session is later resumed?

Some features of existing GSS-API mechanisms (and future features,
in particular about authorization attributes and subject alt name
retrieval) might be extremely non-trivial to persist in the
SSL session cache.

-Martin

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] SPNEGO over TLS - proposed new work item
  - From: Martin Rex

References:
- RE: [TLS] SPNEGO over TLS - proposed new work item
  - From: Stefan Santesson

Prev by Date: RE: [TLS] SPNEGO over TLS - proposed new work item
Next by Date: RE: [TLS] SPNEGO over TLS - proposed new work item
Previous by thread: RE: [TLS] SPNEGO over TLS - proposed new work item
Next by thread: Re: [TLS] SPNEGO over TLS - proposed new work item
Index(es):
- Date
- Thread