[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TLS] GSS-API extension draft available

To: "tls@xxxxxxxx" <tls@xxxxxxxx>
Subject: RE: [TLS] GSS-API extension draft available
From: Peter Williams <home_pw@xxxxxxx>
Date: Tue, 19 Dec 2006 10:11:43 -0800
Cc:
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>

I much rather see the usul negotiation of the GSSAPI ciphersuite, and then a custom-GSS client protocol
handshake occur, before the master keying occurs. This would naturally occur after serverkeyexchange, which
could be used to signal the GSS mechanism and payload exchange process sub-states to the client.

Like ChangeCipherSuite messages, the GSS mechanism oid exchanges should not be classified
as a handshake message. Arguably, the GSS payloads should: trouble is ...they would have to be opaques, under
the conventional formalism.

I don't like the idea of GSS mechanisms having any possibility of influencing the sessionid resumption processes.
Thus im not in favor of the binding to the hello process.

Interesting that yet another proposal is once again all about PRFs, and controlling master keying. Its not
OBVIOUSLY a spec about adding GSS API mechanisms to the portfolio of techniques, or fixing
kerbersos ciphersuites, per the marketing!

Did occur to me to wonder, from the design, whether there is an intend to be assigning to the GSS provider's
selected mechanism now the management/control of the session resumption process. This is interesting, if
its an intent; particularly if its in the first packet (being bound to clienthello)

> From: stefans@xxxxxxxxxxxxx
> To: tls@xxxxxxxx
> Date: Tue, 19 Dec 2006 16:31:39 +0000
> CC: arimed@xxxxxxxxxxxxxxxxxxxxx; pasi.eronen@xxxxxxxxx
> Subject: [TLS] GSS-API extension draft available
>
> A first version of the GSS-API draft is available from:
> http://www.ietf.org/internet-drafts/draft-santesson-tls-gssapi-00.txt
>
> The title of this draft is wrong. Please ignore that error. A new draft 01 with a correct title has been submitted today.
>
> I request on behalf of the editors that the TLS WG adopt this as a WG document.
>
>
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@xxxxxxxxxxxxxx
> https://www1.ietf.org/mailman/listinfo/tls

Check the weather nationwide with MSN Search Try it now!

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] GSS-API extension draft available
  - From: Jeffrey Altman

Prev by Date: Ephemeral RSA (was Re: [TLS] Any advice regarding frequency of generating)
Next by Date: RE: Ephemeral RSA (was Re: [TLS] Any advice regarding frequency ofgenerating)
Previous by thread: [TLS] draft-ietf-tls-srp-13
Next by thread: Re: [TLS] GSS-API extension draft available
Index(es):
- Date
- Thread