[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [sasl] AD review comments for draft-ietf-sasl-gs2

From: Simon Josefsson <simon at josefsson.org>
To: Nicolas Williams <Nicolas.Williams at sun.com>
Cc: sasl at ietf.org
Date: Thu, 29 Oct 2009 15:31:58 +0100
In-reply-to: <20091026170119.GL892 at Sun.COM> (Nicolas Williams's message of "Mon, 26 Oct 2009 12:01:19 -0500")
References: <808FD6E27AD4884E94820BC333B2DB774E7F2F03EC at NOK-EUMSG-01.mgdnok.nokia.com> <87aaze85ac.fsf at mocca.josefsson.org> <20091026170119.GL892 at Sun.COM>

Nicolas Williams <Nicolas.Williams at sun.com> writes:

> On Mon, Oct 26, 2009 at 05:54:19PM +0100, Simon Josefsson wrote:
>> <Pasi.Eronen at nokia.com> writes:
>> > - Second, should Section 8 say something about the flags that are not
>> > related to per-message tokens? (deleg, mutual, anon)
>> 
>> I'm not sure what to add, but will add text if suggested.
>
> I think we should add something like this:
>
>    The mutual_req_flag MUST be set.  If channel binding is used then the
>    client MUST check that the corresponding ret_flag is set when the
>    context is fully establish, else authentication MUST fail.
>
> The first requirement is important, while the rest is, IMO, redundant --
> channel binding necessarily implies mutual authentication in the
> Kerberos sense.  Note that we don't require checking that mutual
> authentication actually happened.

Seems fine to me, added in my local copy.

> And we should add something like this too:
>
>    Use or non-use of deleg_req_flag and anon_req_flag is an
>    implementation-specific detail.  SASL and GS2 implementors are
>    encouraged to provide programming interfaces by which clients may
>    choose to delegate credentials and by which servers may receive them.
>    SASL and GS2 implementors are encouraged to provide programming
>    interfaces which provide a good mapping of GSS-API naming options.

Added too.

>> > - Section 4 should say either that character case (for things like
>> > "p=" and "a=") must be exactly as shown here, or that they're case
>> > insensitive (if nothing is said, RFC 5234 strings are by default case
>> > insensitive, I think).
>> 
>> I added this paragraph before the ABNF:
>> 
>> 	  <t>The figure below describes the permissible attributes,
>> 	    their use, and the format of their values.  All attribute
>> 	    names are single US-ASCII letters and are
>> 	    case-sensitive.</t>
>
> For the record, I don't mind if they're really case-insensitive.

I would prefer to keep SCRAM and GS2 in sync here.

Thanks,
/Simon

References:
- [sasl] AD review comments for draft-ietf-sasl-gs2
  - From: Pasi.Eronen
- Re: [sasl] AD review comments for draft-ietf-sasl-gs2
  - From: Simon Josefsson
- Re: [sasl] AD review comments for draft-ietf-sasl-gs2
  - From: Nicolas Williams

Prev by Date: Re: [sasl] [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
Next by Date: Re: [sasl] SASL WG agenda and attendance
Previous by thread: Re: [sasl] AD review comments for draft-ietf-sasl-gs2
Next by thread: Re: [sasl] AD review comments for draft-ietf-sasl-gs2
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.