Re: [TLS] the use cases for GSS-based TLS and the plea for

To: martin.rex at sap.com
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for
From: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: Fri, 20 Jul 2007 13:55:59 -0400
Cc: tls at ietf.org, Nicolas Williams <Nicolas.Williams at sun.com>
In-reply-to: <200707201740.l6KHeYgH008101@fs4113.wdf.sap.corp>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Openpgp: url=http://pgp.mit.edu
Organization: Secure Endpoints Inc.
References: <200707201740.l6KHeYgH008101@fs4113.wdf.sap.corp>
Reply-to: jaltman at secure-endpoints.com
User-agent: Thunderbird 2.0.0.5 (Windows/20070716)

Martin Rex wrote:
> What I meant (and forgot to add) was "certificate-based credential
> (self-signed when no PKI is used) as a mandatory to implement
> feature for interoperability".
>
> If support of cert-based credentials is a mere MAY, then I am sure
> there will be servers/services where installing or using a PKI
> credential is impossible/defective/unusable, and you cannot complain
> to the vendor because not-supporting it is fully compliant with the spec.
>
> Everyone will be happy when Kerberos can be used cross-organization
> one day.  But until that day, I want to make sure that the customer
> has the working alternative to use PKI when there is a need for it.
Let me rephrase what you want:

* You do not want to require that a server certificate be used when a
TLS_GSS cipher is selected

* You do want to require that all TLS implementations support for the
certificate based ciphers

Note that while we can standardize implementation requirements, we
cannot standardize the deployment requirements. 

No one that is promoting TLS GSS wants to eliminate the use of
certificate based TLS ciphers.  The purpose of adding the TLS GSS
ciphers is to provide a solution for environments that certificate
management costs exceed the costs of the pre-existing infrastructure.

Jeffrey Altman

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Martin Rex

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Martin Rex

Prev by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Previous by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Index(es):
- Date
- Thread

Re: [TLS] the use cases for GSS-based TLS and the plea for

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.