Re: [TLS] the use cases for GSS-based TLS and the plea for

To: jaltman at secure-endpoints.com
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for
From: Martin Rex <Martin.Rex at sap.com>
Date: Fri, 20 Jul 2007 20:28:26 +0200 (MEST)
Cc: Nicolas.Williams at sun.com, tls at ietf.org
In-reply-to: <46A0F72F.40800@secure-endpoints.com> from "Jeffrey Altman" at Jul 20, 7 01:55:59 pm
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Jeffrey Altman wrote:
> 
> Martin Rex wrote:
> > What I meant (and forgot to add) was "certificate-based credential
> > (self-signed when no PKI is used) as a mandatory to implement
> > feature for interoperability".
> >
> > If support of cert-based credentials is a mere MAY, then I am sure
> > there will be servers/services where installing or using a PKI
> > credential is impossible/defective/unusable, and you cannot complain
> > to the vendor because not-supporting it is fully compliant with the spec.
> >
> > Everyone will be happy when Kerberos can be used cross-organization
> > one day.  But until that day, I want to make sure that the customer
> > has the working alternative to use PKI when there is a need for it.

> Let me rephrase what you want:
> 
> * You do not want to require that a server certificate be used when a
> TLS_GSS cipher is selected

Nope.  I completely dislike the lack of orthogonality to TLS on
this issue.  I do NOT want the gssapi-over-tls require any particular
ciphersuite (instead work with those that are there and future ones),
and in particular I do this spec NOT want to define a new cipher
suite.

> 
> * You do want to require that all TLS implementations support for the
> certificate based ciphers

I want a mandatory to implement subset of ciphersuites.  SSLv3 had
this and from what Nico says, TLSv1.1 might still have it.
(I'm behind on TLS evlutionary changes).

> 
> Note that while we can standardize implementation requirements, we
> cannot standardize the deployment requirements. 

We can not require which buttons the customer presses on installation,
but we can require which buttons must be available to the customer for
installation/configuration. 

> 
> No one that is promoting TLS GSS wants to eliminate the use of
> certificate based TLS ciphers.  The purpose of adding the TLS GSS
> ciphers is to provide a solution for environments that certificate
> management costs exceed the costs of the pre-existing infrastructure.

I have _never_ disputed this motivation.  And I certainly do not
want to take this freedom away from the customer.  However, I clearly
want to deny the vendor a compliance tag for not providing a fully
functional option to the customer.

-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Jeffrey Altman

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Jeffrey Altman

Prev by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Previous by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Index(es):
- Date
- Thread

Re: [TLS] the use cases for GSS-based TLS and the plea for

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.