Re: [TLS] Review of draft-santesson-tls-gssapi-00

To: martin.rex at sap.com
Subject: Re: [TLS] Review of draft-santesson-tls-gssapi-00
From: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: Thu, 22 Mar 2007 10:25:59 -0400
Cc: arimed at windows.microsoft.com, tls at ietf.org
In-reply-to: <200703221406.PAA15920@uw1048.wdf.sap.corp>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Organization: Secure Endpoints Inc.
References: <200703221406.PAA15920@uw1048.wdf.sap.corp>
Reply-to: jaltman at secure-endpoints.com
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

Martin Rex wrote:
> Making it easy or encouraging people to configure future Web-Servers
> with TLS_GSSAPI only ciphersuites is equal to dropping
> mandatory to implement ciphersuites and traditional strong interoperability
> of TLS will be lost forever.
The sites that have deployed RFC 2712 do not have certificates today and
they want to force users to authenticate using there existing Kerberos
infrastructure.  Forcing the deployment of a certificate in order to
deploy TLS_GSS is not going to alter the behavior of the administrators
who insist that only Kerberos mutual authentication be used.

Please remember that mandatory to implement does not mean mandatory to
deploy.    There is nothing preventing the deployment of a server that
supports both TLS_GSS and certificate based ciphers that are used in
most public settings.   Adding complexity to the deployment of TLS_GSS
is not going to alter the deployment policies of the administrators who
use it.

Jeffrey Altman

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Martin Rex

References:
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Martin Rex

Prev by Date: Re: [TLS] Review of draft-santesson-tls-gssapi-00
Next by Date: Re: [TLS] TLS state machine
Previous by thread: Re: [TLS] Review of draft-santesson-tls-gssapi-00
Next by thread: Re: [TLS] Review of draft-santesson-tls-gssapi-00
Index(es):
- Date
- Thread

Re: [TLS] Review of draft-santesson-tls-gssapi-00

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.