Re: [TLS] the use cases for GSS-based TLS and the plea for

To: Nicolas.Williams at sun.com (Nicolas Williams)
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for
From: Martin Rex <Martin.Rex at sap.com>
Date: Fri, 20 Jul 2007 19:40:34 +0200 (MEST)
Cc: Martin.Rex at sap.com, tls at ietf.org
In-reply-to: <20070720171837.GI26603@Sun.COM> from "Nicolas Williams" at Jul 20, 7 12:18:38 pm
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Nicolas Williams wrote:
> 
> > *I* want to see a requirement for a server credentials in order
> > to put pressure on the interoperability aspect.  Interoperability
> > is important, and the previous specs used a certificate-based
> > credential for this purpose.  We all know pretty well that
> > popular gssapi mechanism like Kerberos5 have a serious
> > inter-organisation interoperability problem, and that is
> > unlikely to go away anytime soon.  So to provide interoperability
> > from the beginning we ought to stick to the one authentication
> > scheme that currently works best cross-organization.
> 
> So why bother with this doc then?  Why not just say: "if you want to use
> TLS then deploy a PKI?"  (And to the question of where to store user
> creds, one answer that comes to mind would be kx509, another would be
> SACRED.)

What I meant (and forgot to add) was "certificate-based credential
(self-signed when no PKI is used) as a mandatory to implement
feature for interoperability".

If support of cert-based credentials is a mere MAY, then I am sure
there will be servers/services where installing or using a PKI
credential is impossible/defective/unusable, and you cannot complain
to the vendor because not-supporting it is fully compliant with the spec.

Everyone will be happy when Kerberos can be used cross-organization
one day.  But until that day, I want to make sure that the customer
has the working alternative to use PKI when there is a need for it.

-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Leif Johansson
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Jeffrey Altman
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Nicolas Williams

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Nicolas Williams

Prev by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Previous by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Index(es):
- Date
- Thread

Re: [TLS] the use cases for GSS-based TLS and the plea for

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.