RE: [TLS] Review of draft-santesson-tls-gssapi-00
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [TLS] Review of draft-santesson-tls-gssapi-00
Yoav Nir wrote:
> > We certainly have to complete the authentication (including GSS-API)
> > before we let application data through. In my proposal, that would
> > happen after the channel binding messages (not immediately after the
> > finished messages).
>
> This would change the same state machine which you reference in RFC
> 2246. That figure makes it clear that application data immediately
> follows the Finished message. Inserting more handshake messages
> between the Finished message and the application data is just as big
> a change as is inserting them before the Finished message.
In my proposal, the GSS-API messages would use a new content type, not
handshake; so the state machine for TLS handshake message processing
would not be changed.
IMHO this is a smaller change (but I admit that judging the size of
these changes is somewhat subjective).
<snip>
> I suggest that rather than conducting a straw poll about whether or
> not GSSAPI (or TEE) should become working group items, we first have
> one on whether external authentication should become a working group
> item. If the answer to that is yes, we can then discuss whether we
> should use the RADIUS namespace, EAP or GSSAPI.
To even consider a straw poll about TEE, you need to present a
plausible plan on how to revise the EAP applicability statement (which
will not happen in TLS WG, but somewhere else) that is acceptable
to the EAP community and SEC ADs.
Best regards,
Pasi
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
