Re: [TLS] Review of draft-santesson-tls-gssapi-00

To: arimed at windows.microsoft.com (Ari Medvinsky)
Subject: Re: [TLS] Review of draft-santesson-tls-gssapi-00
From: Martin Rex <martin.rex at sap.com>
Date: Thu, 22 Mar 2007 00:21:47 +0100 (MET)
Cc: tls at ietf.org
In-reply-to: <802A881C87166D4597F9EEFC3F04F4F80468C8EE@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com> from "Ari Medvinsky" at Mar 21, 7 09:55:48 am
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Ari Medvinsky wrote:
> 
> 2) Your proposal still requires the server to have an X509 certificate;
> the original proposal does not have this constraint.  There are
> scenarios where it is desirable not require server to have an SSL cert.

If at all, the architecture should address GSS-API in general,
not just specific mechanisms favoured by a few.

SSL/TLS has been around for >10 years, so providing web servers with an
X.509 cert is a long solved problem.  The reason why gssapi authentication
is interesting is because it would allow one to authenticate clients/users
based on their existing (non-X.509) credentials in order to provide
Single Sign-On.

Since the installed base does not yet implement a tls-gss extension
(heck, we don't even know what it is going to look like), we ought
to provide a migration path instead of a flag day, so that clients
that are later in supporting tls-gss can still interoperate based
on existing authentication schemes, and ultimately that means
the server ought to provide an X.509 cert for quite some time.

-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [***SPAM*** Score/Req: 11.0/5.0] Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Jeffrey Altman

References:
- RE: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Ari Medvinsky

Prev by Date: Re: [TLS] Review of draft-santesson-tls-gssapi-00
Next by Date: Re: [***SPAM*** Score/Req: 11.0/5.0] Re: [TLS] Review of draft-santesson-tls-gssapi-00
Previous by thread: Re: [TLS] Review of draft-santesson-tls-gssapi-00
Next by thread: Re: [***SPAM*** Score/Req: 11.0/5.0] Re: [TLS] Review of draft-santesson-tls-gssapi-00
Index(es):
- Date
- Thread

Re: [TLS] Review of draft-santesson-tls-gssapi-00

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.