RE: [TLS] Review of draft-santesson-tls-gssapi-00
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [TLS] Review of draft-santesson-tls-gssapi-00
Ari Medvinsky wrote:
>
> Pasi,
>
> I have two objections to the proposal of doing a GSS exchange
> after the finished msgs:
> 1) Numerous existing applications expect to know the identity of the
> client upon completion of the handshake (e.g., consider https for
> existing web servers, there lots of other examples); your proposal
> would require major overhaul to the way apps are secured today with
> TLS
I'm not sure if I understand this concern. Certainly a TLS library
doing GSS-API would tell the application "handshake completed"
only after the GSS-API part was also completed?
> 2) Your proposal still requires the server to have an X509
> certificate; the original proposal does not have this constraint.
> There are scenarios where it is desirable not require server to have
> an SSL cert.
I agree that we don't want to require server certs. While the rough
sketch in my earlier message did " TLS_RSA_GSSAPI_WITH_...", it
would work exactly the same way for "TLS_DH_anon_GSSAPI_WITH...".
So a server cert is not needed.
Best regards,
Pasi
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
