Re: [TLS] Review of draft-santesson-tls-gssapi-00

To: jaltman at secure-endpoints.com
Subject: Re: [TLS] Review of draft-santesson-tls-gssapi-00
From: Martin Rex <martin.rex at sap.com>
Date: Thu, 22 Mar 2007 18:47:36 +0100 (MET)
Cc: tls at ietf.org
In-reply-to: <460291F7.6090804@secure-endpoints.com> from "Jeffrey Altman" at Mar 22, 7 10:25:59 am
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Jeffrey Altman wrote:
> 
> Martin Rex wrote:
> > Making it easy or encouraging people to configure future Web-Servers
> > with TLS_GSSAPI only ciphersuites is equal to dropping
> > mandatory to implement ciphersuites and traditional strong interoperability
> > of TLS will be lost forever.
> The sites that have deployed RFC 2712 do not have certificates today and
> they want to force users to authenticate using there existing Kerberos
> infrastructure.  Forcing the deployment of a certificate in order to
> deploy TLS_GSS is not going to alter the behavior of the administrators
> who insist that only Kerberos mutual authentication be used.
> 
> Please remember that mandatory to implement does not mean mandatory to
> deploy.    There is nothing preventing the deployment of a server that
> supports both TLS_GSS and certificate based ciphers that are used in
> most public settings.   Adding complexity to the deployment of TLS_GSS
> is not going to alter the deployment policies of the administrators who
> use it.

Actually, I would appreciate a (new) requirement that a TLS server
MUST posess at least a self-signed credential for one of the
mandatory-to-implement ciphersuites that include server authentication.

Allowing the admin to disable the ciphersuite is OK, but allowing the
implementation to run without any credential for at least one of
the mandatory-to-implement ciphersuites appears to be a bug in the
interoperability concept behind the mandatory to implement ciphersuites.


-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Review of draft-santesson-tls-gssapi-00
  - From: Jeffrey Altman

Prev by Date: Re: [TLS] TLS state machine
Next by Date: Re: [TLS] Review of draft-santesson-tls-gssapi-00
Previous by thread: Re: [TLS] Review of draft-santesson-tls-gssapi-00
Next by thread: Re: [TLS] Review of draft-santesson-tls-gssapi-00
Index(es):
- Date
- Thread

Re: [TLS] Review of draft-santesson-tls-gssapi-00

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.