[secdir] secdir review of draft-ietf-sasl-gs2-17
"Glen Zorn" <gwz@net-zen.net> Fri, 20 November 2009 19:41 UTC
Return-Path: <gwz@net-zen.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C26A33A6873 for <secdir@core3.amsl.com>; Fri, 20 Nov 2009 11:41:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIgusJr-3YvW for <secdir@core3.amsl.com>; Fri, 20 Nov 2009 11:41:22 -0800 (PST)
Received: from p3plsmtpa01-04.prod.phx3.secureserver.net (p3plsmtpa01-04.prod.phx3.secureserver.net [72.167.82.84]) by core3.amsl.com (Postfix) with SMTP id 989FB3A672E for <secdir@ietf.org>; Fri, 20 Nov 2009 11:41:22 -0800 (PST)
Received: (qmail 18483 invoked from network); 20 Nov 2009 19:41:18 -0000
Received: from unknown (66.187.181.250) by p3plsmtpa01-04.prod.phx3.secureserver.net (72.167.82.84) with ESMTP; 20 Nov 2009 19:41:12 -0000
From: Glen Zorn <gwz@net-zen.net>
To: secdir@ietf.org, iesg@ietf.org, simon@josefsson.org, Nicolas.Williams@sun.com, 'Kurt Zeilenga' <Kurt.Zeilenga@Isode.com>, tlyu@mit.edu, 'Alexey Melnikov' <alexey.melnikov@isode.com>
Date: Fri, 20 Nov 2009 14:39:59 -0500
Organization: Network Zen
Message-ID: <000001ca6a19$665b3320$33119960$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpqGOx74WhdqIuES2On4tKsAj6aVA==
Content-Language: en-us
Subject: [secdir] secdir review of draft-ietf-sasl-gs2-17
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2009 19:41:22 -0000
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
GENERAL COMMENTS
The reference to a document is not the document; for example, in the
following excerpt from section 2, there are no names defined in the
reference to RFC 2743:
The document uses many terms and function names defined in [RFC2743]
as updated by [RFC5554].
Please change to something like
The document uses many terms and function names defined in RFC 2743
[RFC2743]
as updated by RFC 5554 [RFC5554].
Note that this comment applies globally to all such usages in the document.
ABSTRACT
The last sentence of the Abstract says: "See
<http://josefsson.org/sasl-gs2-*/> for more information." Unless the
referenced URL is intended to be permanently available (and probably even
then), this line should be removed before publication as an RFC.
SECTION 3
Third paragraph, first sentence.
Old:
If the GSS_Inquire_SASLname_for_mech interface is not used, the GS2
implementation need some other mechanism to map mechanism OIDs to
SASL name internally. In this case, the implementation can only
New:
If the GSS_Inquire_SASLname_for_mech interface is not used, the GS2
implementation needs some other mechanism to map mechanism OIDs to
SASL names internally. In this case, the implementation can only
SECTION 3.1
s/characters outside of the base32 alphabet/characters outside of the Base32
alphabet/
SECTION 3.2
s/This obliterate the need/This obliterates the need/
The final sentence seems slightly clumsy; suggest the following change:
Old:
The computed mechanism name can be used
directly in the implementation, and the implementation need not
concern itself with that the mechanism is part of a mechanism family.
New:
The computed mechanism name can be used
directly in the implementation, and the implementation need not
be concerned if the mechanism is part of a mechanism family.
SECTION 4
In the fourth paragraph, s/As this indicate an error condition/As this
indicates an error condition/
In paragraph 5, "The [RFC2743] section 3.1 initial context token header" has
the sound of GSSAPI "code words" ;-). Suggest changing to "The GSSAPIv2
initial context token header (see section 3.1 of RFC 2743 [RFC2743])" or
some such.
A similar comment pertains to the first paragraph on page 9; suggest:
Old:
When the "gs2-nonstd-flag" flag is present, the client did not find/
remove a [RFC2743] section 3.1 token header from the initial token
returned by GSS_Init_sec_context. This signals to the server that it
MUST NOT re-add the data that is normally removed by the client.
New:
When the "gs2-nonstd-flag" flag is present, the client did not find/
remove a GSSAPIv2 token header (RFC 2743, section 3.1) from the initial
token
returned by GSS_Init_sec_context. This signals to the server that it
MUST NOT re-add the data that is normally removed by the client.
s/The NUL characters is forbidden/The NUL character is forbidden/
s/Upon the receipt/Upon receipt/
s/results in failed authentication exchange/results in a failed
authentication exchange/
SECTION 5
I find this section rather difficult to understand: not all of the possible
combinations of gs2-cb-flag and server support for channel bindings seem to
be covered. A table might help, if not for that the gs2-cb-flag is
tri-valued & used to signal two different things.
SECTION 5.1
First sentence s/The calls to GSS_Init_sec_context and
GSS_Accept_sec_context takes a/The calls to GSS_Init_sec_context and
GSS_Accept_sec_context take a/
SECTION 6
This section needs a lot of work if it is expected to be understood by
non-members of the Illuminati ;->. Just one example (of many possible):
Example #3: a two round-trip GSS-API context token exchange, no
channel binding, no standard token header.
C: Request authentication exchange
S: Empty Challenge
C: F,n,,<initial context token without
standard header>
S: Send reply context token as is
C: Send reply context token as is
S: Send reply context token as is
C: Empty message
S: Outcome of authentication exchange
What does this mean? What do 'F' & 'n' stand for? How is it useful? It
might be claimed that these questions could be answered by dissecting the
ABNF for the gs2 header, but I don't think that's a good answer: examples
should be self-contained.
SECTION 8
The first paragraph says:
GS2 does not use any GSS-API per-message tokens. Therefore the
setting of req_flags related to per-message tokens is irrelevant.
OK, but what should the client and server behavior should be WRT the flags?
SECTION 14.1
Old:
If a client implement GSS-API mechanism X, potentially negotiated
through a GSS-API mechanism Y, and the server also implement GSS-API
mechanism X negotiated through a GSS-API mechanism Z, the
authentication negotiation will fail.
New:
If a client implements GSS-API mechanism X, potentially negotiated
through a GSS-API mechanism Y, and the server also implements GSS-API
mechanism X negotiated through a GSS-API mechanism Z, the
authentication negotiation will fail.
SECTION 14.2
s/use of GSS-API mechanisms that negotiate other mechanisms are/use of
GSS-API mechanisms that negotiate other mechanisms is/
- [secdir] secdir review of draft-ietf-sasl-gs2-17 Glen Zorn
- Re: [secdir] secdir review of draft-ietf-sasl-gs2… Nicolas Williams
- Re: [secdir] secdir review of draft-ietf-sasl-gs2… Alexey Melnikov
- Re: [secdir] secdir review of draft-ietf-sasl-gs2… Simon Josefsson
- Re: [secdir] secdir review of draft-ietf-sasl-gs2… Simon Josefsson