[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [sasl] AD review comments for draft-ietf-sasl-gs2

From: Nicolas Williams <Nicolas.Williams at sun.com>
To: Simon Josefsson <simon at josefsson.org>
Cc: sasl at ietf.org
Date: Mon, 26 Oct 2009 12:01:19 -0500
In-reply-to: <87aaze85ac.fsf at mocca.josefsson.org>
References: <808FD6E27AD4884E94820BC333B2DB774E7F2F03EC at NOK-EUMSG-01.mgdnok.nokia.com> <87aaze85ac.fsf at mocca.josefsson.org>

On Mon, Oct 26, 2009 at 05:54:19PM +0100, Simon Josefsson wrote:
> <Pasi.Eronen at nokia.com> writes:
> > - Second, should Section 8 say something about the flags that are not
> > related to per-message tokens? (deleg, mutual, anon)
> 
> I'm not sure what to add, but will add text if suggested.

I think we should add something like this:

   The mutual_req_flag MUST be set.  If channel binding is used then the
   client MUST check that the corresponding ret_flag is set when the
   context is fully establish, else authentication MUST fail.

The first requirement is important, while the rest is, IMO, redundant --
channel binding necessarily implies mutual authentication in the
Kerberos sense.  Note that we don't require checking that mutual
authentication actually happened.

SCRAM, incidentally, provides mutual authentication in the Kerberos
sense.  We should state that in the SCRAM doc (oops; but we can still
make that change).  SCRAM does not provide mutual authen. in the sense
that both, the client and server have names that are each authenticated
to the other (SCRAM has no notion of server naming).

And we should add something like this too:

   Use or non-use of deleg_req_flag and anon_req_flag is an
   implementation-specific detail.  SASL and GS2 implementors are
   encouraged to provide programming interfaces by which clients may
   choose to delegate credentials and by which servers may receive them.
   SASL and GS2 implementors are encouraged to provide programming
   interfaces which provide a good mapping of GSS-API naming options.

> > - Section 4 should say either that character case (for things like
> > "p=" and "a=") must be exactly as shown here, or that they're case
> > insensitive (if nothing is said, RFC 5234 strings are by default case
> > insensitive, I think).
> 
> I added this paragraph before the ABNF:
> 
> 	  <t>The figure below describes the permissible attributes,
> 	    their use, and the format of their values.  All attribute
> 	    names are single US-ASCII letters and are
> 	    case-sensitive.</t>

For the record, I don't mind if they're really case-insensitive.

Nico
--

Follow-Ups:
- Re: [sasl] AD review comments for draft-ietf-sasl-gs2
  - From: Simon Josefsson

References:
- [sasl] AD review comments for draft-ietf-sasl-gs2
  - From: Pasi.Eronen
- Re: [sasl] AD review comments for draft-ietf-sasl-gs2
  - From: Simon Josefsson

Prev by Date: Re: [sasl] AD review comments for draft-ietf-sasl-gs2
Next by Date: [sasl] Protocol Action: 'Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism' to Proposed Standard
Previous by thread: Re: [sasl] AD review comments for draft-ietf-sasl-gs2
Next by thread: Re: [sasl] AD review comments for draft-ietf-sasl-gs2
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.