RE: [TLS] Re: Review of draft-santesson-tls-gssapi-00

To: Simon Josefsson <simon at josefsson.org>, "Pasi.Eronen at nokia.com" <Pasi.Eronen at nokia.com>
Subject: RE: [TLS] Re: Review of draft-santesson-tls-gssapi-00
From: Stefan Santesson <stefans at microsoft.com>
Date: Wed, 21 Mar 2007 18:22:10 +0000
Accept-language: en-US
Acceptlanguage: en-US
Cc: Ari Medvinsky <arimed at windows.microsoft.com>, "tls at ietf.org" <tls at ietf.org>
In-reply-to: <87odmmo60s.fsf@mocca.josefsson.org>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <A15AC0FBACD3464E95961F7C0BCD1FF01EEDF5A8@EA-EXMSG-C307.europe.corp.microsoft.com> <200703081752.SAA13445@uw1048.wdf.sap.corp> <A15AC0FBACD3464E95961F7C0BCD1FF01EEDF84A@EA-EXMSG-C307.europe.corp.microsoft.com> <861wjyfnmp.fsf@delta.rtfm.com> <A15AC0FBACD3464E95961F7C0BCD1FF01EEDF88A@EA-EXMSG-C307.europe.corp.microsoft.com> <86fy8ee7g5.fsf@delta.rtfm.com> <A15AC0FBACD3464E95961F7C0BCD1FF01EEDFC6F@EA-EXMSG-C307.europe.corp.microsoft.com> <B356D8F434D20B40A8CEDAEC305A1F2403E92576@esebe105.NOE.Nokia.com> <A15AC0FBACD3464E95961F7C0BCD1FF01EF5FEA6@EA-EXMSG-C307.europe.corp.microsoft.com> <B356D8F434D20B40A8CEDAEC305A1F2403E92709@esebe105.NOE.Nokia.com> <33F43BC3-4F76-48B1-9DC9-3B05C951C7BE@checkpoint.com> <B356D8F434D20B40A8CEDAEC305A1F2403ECA9BA@esebe105.NOE.Nokia.com> <802A881C87166D4597F9EEFC3F04F4F80468C8EE@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com> <B356D8F434D20B40A8CEDAEC305A1F2403ECAA05@esebe105.NOE.Nokia.com> <87odmmo60s.fsf@mocca.josefsson.org>
Thread-index: Acdr36r1w2vqVmr6Qf6901cbs6VUrwABav0A
Thread-topic: [TLS] Re: Review of draft-santesson-tls-gssapi-00

I disagree that the application need to be altered in the original proposal.

It all depends on where TLS obtains its policies and parameters. If that is supplied by separate configuration or policy DB, then the originally proposed handshake can be performed transparent to the application.


Stefan Santesson
Senior Program Manager
Windows Security, Standards


> -----Original Message-----
> From: Simon Josefsson [mailto:simon at josefsson.org]
> Sent: den 21 mars 2007 18:34
> To: Pasi.Eronen at nokia.com
> Cc: Ari Medvinsky; tls at ietf.org
> Subject: [TLS] Re: Review of draft-santesson-tls-gssapi-00
>
> <Pasi.Eronen at nokia.com> writes:
>
> > Ari Medvinsky wrote:
> >>
> >> Pasi,
> >>
> >> I have two objections to the proposal of doing a GSS exchange
> >> after the finished msgs:
> >> 1) Numerous existing applications expect to know the identity of the
> >> client upon completion of the handshake (e.g., consider https for
> >> existing web servers, there lots of other examples); your proposal
> >> would require major overhaul to the way apps are secured today with
> >> TLS
> >
> > I'm not sure if I understand this concern. Certainly a TLS library
> > doing GSS-API would tell the application "handshake completed"
> > only after the GSS-API part was also completed?
>
> I'm not convinced of that.  It is useful for TLS library APIs to be
> consistent with the TLS protocol.  Your proposal was to add the
> GSS-API negotiation after the TLS handshake.
>
> What this means in practice is that, to speak in library-specific API
> terms, that applications after calling gnutls_handshake() will have to
> call gnutls_gssapi_handshake().  This is similar to what we did for
> TLS/IA, after gnutls_handshake() the application calls
> gnutls_ia_handshake() to perform the inner handshake.  Only once both
> calls have finished successfully will the application be satisfied.
>
> I disagree that this is a serious problem.  Yes, both TLS libraries
> and applications must be changed, but they need to be changed to
> support this functionality anyway.  The changes inherent in Pasi's
> proposal aren't that much bigger than those in Stefan's original
> proposal.
>
> /Simon
>
> _______________________________________________
> TLS mailing list
> TLS at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Re: Review of draft-santesson-tls-gssapi-00
  - From: Martin Rex

References:
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Martin Rex
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: EKR
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: EKR
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Pasi.Eronen
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Stefan Santesson
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Pasi.Eronen
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Yoav Nir
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Pasi.Eronen
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Ari Medvinsky
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Pasi.Eronen
- [TLS] Re: Review of draft-santesson-tls-gssapi-00
  - From: Simon Josefsson

Prev by Date: [TLS] RE: Review of draft-santesson-tls-gssapi-00
Next by Date: RE: [TLS] TLS state machine
Previous by thread: [TLS] RE: Review of draft-santesson-tls-gssapi-00
Next by thread: Re: [TLS] Re: Review of draft-santesson-tls-gssapi-00
Index(es):
- Date
- Thread

RE: [TLS] Re: Review of draft-santesson-tls-gssapi-00

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.