Re: Please review: http gss authentication mech

To: Leif Johansson <leifj at it.su.se>
Subject: Re: Please review: http gss authentication mech
From: "RL 'Bob' Morgan" <rlmorgan at washington.edu>
Date: Thu, 9 Nov 2006 15:26:00 -0800 (PST)
Cc: Kitten <kitten at ietf.org>, Lisa Dusseault <lisa at osafoundation.org>, Tim Alsop <Tim.Alsop at CyberSafe.Com>
In-reply-to: <4553B51E.9080006@it.su.se>
List-archive: <http://www1.ietf.org/pipermail/kitten>
List-help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-post: <mailto:kitten@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
References: <0D8F2EFD3A10E24DAEEA48EA6DA07D3029953B@postman-pat.csafe.local> <4553B51E.9080006@it.su.se>

More significantly, draft-nystrom-http-sasl-12.txt only works when persistent connections are used, which is a showstopper. Hence the text in http-gss:

   session.  Instead opaque identifiers in the GSS challenge option
   field are optionally used together with channel bindings to provide a
   way to share a security context over several HTTP connections.

 - RL "Bob"

Tim Alsop wrote:
Have you considered using SASL over HTTP with GSS-API, as described in :
http://tools.ietf.org/wg/sasl/draft-nystrom-http-sasl-12.txt
I was under the impression that the above draft was the preferred method
to improve on the HTTP negotiate approach.
I am under the impression that the proposed SASL mechanism doesn't support channel bindings, partially because channel bindings have been a notoriously difficult problem to get right in SASL space. Personally I din't see the value of adding the extra layer of glue.
   Cheers Leif
_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten


_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

Follow-Ups:
- Re: Please review: http gss authentication mech
  - From: Martin Rex
- Re: Please review: http gss authentication mech
  - From: Lisa Dusseault
- RE: Please review: http gss authentication mech
  - From: Tim Alsop

References:
- RE: Please review: http gss authentication mech
  - From: Tim Alsop
- Re: Please review: http gss authentication mech
  - From: Leif Johansson

Prev by Date: Re: Please review: http gss authentication mech
Next by Date: RE: Please review: http gss authentication mech
Previous by thread: Re: Please review: http gss authentication mech
Next by thread: RE: Please review: http gss authentication mech
Index(es):
- Date
- Thread

Re: Please review: http gss authentication mech

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.