Re: [TLS] the use cases for GSS-based TLS and the plea for

To: Nicolas.Williams at sun.com (Nicolas Williams)
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for
From: Martin Rex <Martin.Rex at sap.com>
Date: Fri, 20 Jul 2007 20:19:24 +0200 (MEST)
Cc: Martin.Rex at sap.com, tls at ietf.org
In-reply-to: <20070720175053.GL26603@Sun.COM> from "Nicolas Williams" at Jul 20, 7 12:50:53 pm
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Nicolas Williams wrote:
> 
> On Fri, Jul 20, 2007 at 07:40:34PM +0200, Martin Rex wrote:
> > What I meant (and forgot to add) was "certificate-based credential
> > (self-signed when no PKI is used) as a mandatory to implement
> > feature for interoperability".
> > 
> > If support of cert-based credentials is a mere MAY, then I am sure
> > there will be servers/services where installing or using a PKI
> > credential is impossible/defective/unusable, and you cannot complain
> > to the vendor because not-supporting it is fully compliant with the spec.
> 
> I don't think this spec aims to change TLS 1.1 to make any current
> cipher suites that are REQUIRED to implement no longer REQUIRED to
> implement.  Nor would I support that, for interop reasons, of course.

This isn't about what the TLS implementation supports, but what
subset of the TLS implementations features a server/service
is able to use.

The hard part of the work isn't the code, it is the configuration
and administrative UI stuff.

As I wrote in previous Emails, I think the gssapi-over-tls authentication
should be put into a module "TLSplus" above a mostly vanilla TLS and next
to completely vanilla GSS-API and look like a normal TLS for the
application caller.  Implementors will probably use different approaches,
some will not provide seperate module and not be able to plug'n'play
gssapi mechanisms.  Others may want to offer exactly this modularization,
and especially the gss-api plug'n'play.

For the architecture I've been trying to describe, ABI issues and
binary plug'n'play is fairly easy compared to the interoperability
issues among independent implementations (at least if you do a certain
level of QA on the API -- tough luck, Solaris Kerberos included
SunOS 5.9 still contains numerous API-level bugs in the GSS-API
they should consider adopting several 10-year old fixes from MIT
Kerberos GSS-API).

-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Nicolas Williams

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Nicolas Williams

Prev by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Previous by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Index(es):
- Date
- Thread

Re: [TLS] the use cases for GSS-based TLS and the plea for

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.