Re: request for agenda items
Martin Rex <martin.rex@sap.com> Fri, 01 July 2005 17:22 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DoPDn-00069R-6P; Fri, 01 Jul 2005 13:22:35 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DoPDk-00067W-O8 for kitten@megatron.ietf.org; Fri, 01 Jul 2005 13:22:33 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA17584 for <kitten@ietf.org>; Fri, 1 Jul 2005 13:22:29 -0400 (EDT)
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DoPdk-0007iT-Qk for kitten@ietf.org; Fri, 01 Jul 2005 13:49:25 -0400
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id TAA08234; Fri, 1 Jul 2005 19:11:48 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200507011711.TAA11683@uw1048.wdf.sap.corp>
To: hartmans-ietf@mit.edu
Date: Fri, 01 Jul 2005 19:11:48 +0200
In-Reply-To: <tsl1x6k95xt.fsf@cz.mit.edu> from "Sam Hartman" at Jun 29, 5 06:03:26 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c83ccb5cc10e751496398f1233ca9c3a
Content-Transfer-Encoding: 8bit
Cc: kitten@ietf.org
Subject: Re: request for agenda items
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Sender: kitten-bounces@lists.ietf.org
Errors-To: kitten-bounces@lists.ietf.org
Sam Hartman wrote: > > I'd like to have a discussion on what it would take to move 2743/2744 > to draft? Would we have to respin the documents? The most important task is to demonstrate independent interoperable implementations. Formally, a WG needs to reconsider the document and remove parts that are not being used or failed to show interoperability (those parts that can be removed without breaking the spec). Since GSS-API (in particular rfc2743/2744) are a first of all a definition of a common API, this means that we need "portable" applications that show plug-and-play with different gssapi mechanisms. John Linn (the original WG chair of ietf-cat) contacted me in May 2001 about an effort to move GSS-API to draft standard, but it appears he couldn't raise enough momentum to make it happen. Maybe you should talk to him again. I do have some experience with plug-n-play of our application with more than a dozen independent gssapi mechanisms. We have set up an interoperability certification for our application with third-party gssapi mechanisms. I was given the permission to publish as OpenSource the software (called "GSSTEST") which we use to perform (GSS-)API-level testing of third-party gssapi mechanisms. (ftp://ftp.sap.com/pub/ietf-work/gssapi/gsstest/gsstest-1.26.zip) The tested functionality is focused on the functionality that we need and how we use it, and therefore a subset of GSS-API v2. GSSTEST checks characteristics which I admit to be SAP specific interoperability constraints, and things that *I* believe are general requirements, but others may disagree. :) But although it's been availabe for more than 5 years, it doesn't seem to be very popular (or known) among gssapi implementors. GSSTEST is happy with MIT Kerberos 1.2.x, HP-UX Kerberos (which seems to be very close to MIT's 1.2.1) and recent Heimdal implementations. It has serious problems with Sun's Kerberos, and if Microsoft would be using it, it would have saved them a couple of hotfixes... The things that may need to be removed because of a lack of interoperability are according to *MY* experience: - channel bindings - hostbased service names Reason: Few (if any) portable applications request and use it, and the majority of gssapi mechanisms simply doesn't implement either one. Actually, the single mechanism that I know to implement it is Kerberos, and even there Microsoft didn't implement channel bindings... Entirely removing these features is impossible without breaking the spec, and I do know that there are niches in the Kerberos area where these features are actively used. However the spec needs to be updated with guidelines on its use and a general caution that applications will encounter gssapi mechanisms that do not offer these features. Another difficult area is the use of (printable) names with GSS-API. The seriously underspecified RFC-2025 (The Simple Public Key GSS-API mechanism) does not define a mechanism specific name format, which significantly impairs interoperability in a heterogeneous environment and may outright prevent interoperability in a heterogeneous distributed environment. The definition of the name format in the Kerberos gssapi mechanism spec rfc-1964 has saved Kerberos from the most serious troubles, but the transition from just-send-8 to Unicode/UTF-8 characters exists. This is an area where GSS-API v2 can be considered underspecified. The data type when passing a printable name through a gssapi function is "octet string" with an accompanying nametype OID, and the most common implementation tradition is to use whatever 8-bit character set is the default on the platform. When printable names are the input to gssapi calls, it should be possible to add a nametype-OID for every existing with the same inpretation, just indicating that the encoding is UTF-8 rather than the default local 8-bit charset. The two difficulties that come to my mind with this approach: (1) installed base applications don't know about the UTF-8 nametypes and will continue to use the existing nametypes (2) installed base applications will probably choke when gss_display_name() suddenly returns an unknown nametype (1) should not be a problem (except constraining the use of names while older applications are still being used), but (2) is difficult: how can a gssapi mechanism distinguish when it is ok to return a newer UTF-8 style nametype from gss_display_name(), and when doing it will cause the calling (old) application to choke and break. So when we add UTF8-encoded nametypes, then we should define how an application can indicate to the gssapi-mechanism that it is a new application and aware of UTF-8 and will not break when gss_display_name returns an UTF-8 based nametype or gss_display_status returns UTF8-encoded text. -Martin _______________________________________________ Kitten mailing list Kitten@lists.ietf.org https://www1.ietf.org/mailman/listinfo/kitten
- request for agenda items Jeffrey Altman
- Re: request for agenda items Sam Hartman
- Re: request for agenda items Nicolas Williams
- Re: request for agenda items Sam Hartman
- Re: request for agenda items Nicolas Williams
- Re: request for agenda items Sam Hartman
- Re: request for agenda items Nicolas Williams
- Re: request for agenda items Jeffrey Altman
- Re: request for agenda items Nicolas Williams
- Re: request for agenda items Jeffrey Hutzelman
- Re: request for agenda items Sam Hartman
- Re: request for agenda items Martin Rex
- Re: request for agenda items Martin Rex
- RE: request for agenda items Tim Alsop
- Re: request for agenda items Nicolas Williams
- RE: request for agenda items Liqiang(Larry) Zhu