RE: Please review: http gss authentication mech

To: "RL 'Bob' Morgan" <rlmorgan at washington.edu>, "Leif Johansson" <leifj at it.su.se>
Subject: RE: Please review: http gss authentication mech
From: "Tim Alsop" <Tim.Alsop at CyberSafe.Com>
Date: Fri, 10 Nov 2006 16:23:27 -0000
Cc: Kitten <kitten at ietf.org>, Lisa Dusseault <lisa at osafoundation.org>
In-reply-to: <Pine.LNX.4.64.0611091518560.1006@perf.cac.washington.edu>
List-archive: <http://www1.ietf.org/pipermail/kitten>
List-help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-post: <mailto:kitten@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>

Bob,

Since the draft for SASL-HTTP is not yet an RFC, is there any reason why
changes cannot be proposed to allow it to support non-persistent
connections ?

It just seems strange to me that this draft has undergone a lot of work
by many people, and because of some functionality that is missing from
it (e.g. support for non-persistent connections) it is being suggested
that a new draft should be progressed instead. Is this the way that
standards are normally progressed ?

Regards,
Tim 

-----Original Message-----
From: RL 'Bob' Morgan [mailto:rlmorgan at washington.edu] 
Sent: 09 November 2006 23:26
To: Leif Johansson
Cc: Tim Alsop; Kitten; Lisa Dusseault
Subject: Re: Please review: http gss authentication mech

More significantly, draft-nystrom-http-sasl-12.txt only works when 
persistent connections are used, which is a showstopper.  Hence the 
text in http-gss:

    session.  Instead opaque identifiers in the GSS challenge option
    field are optionally used together with channel bindings to provide
a
    way to share a security context over several HTTP connections.

  - RL "Bob"

> Tim Alsop wrote:
>> Have you considered using SASL over HTTP with GSS-API, as described
in :
>>
>> http://tools.ietf.org/wg/sasl/draft-nystrom-http-sasl-12.txt
>>
>> I was under the impression that the above draft was the preferred
method
>> to improve on the HTTP negotiate approach.
>>
> I am under the impression that the proposed SASL mechanism doesn't 
> support channel bindings, partially because channel bindings have been
a 
> notoriously difficult problem to get right in SASL space. Personally I

> din't see the value of adding the extra layer of glue.
>
>    Cheers Leif
>
>
> _______________________________________________
> Kitten mailing list
> Kitten at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/kitten
>

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

Follow-Ups:
- Re: Please review: http gss authentication mech
  - From: Nicolas Williams

References:
- Re: Please review: http gss authentication mech
  - From: RL 'Bob' Morgan

Prev by Date: RE: Please review: http gss authentication mech
Next by Date: Re: Please review: http gss authentication mech
Previous by thread: Re: Please review: http gss authentication mech
Next by thread: Re: Please review: http gss authentication mech
Index(es):
- Date
- Thread

RE: Please review: http gss authentication mech

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.