RE: [TLS] the use cases for GSS-based TLS and the plea for integrating

To: Larry Zhu <lzhu at windows.microsoft.com>
Subject: RE: [TLS] the use cases for GSS-based TLS and the plea for integrating
From: Chris Newman <Chris.Newman at Sun.COM>
Date: Thu, 26 Jul 2007 14:46:21 -0500
Cc: tls at ietf.org
In-reply-to: <CAAAEFE273EAD341A4B02AAA9CA6F73306B357EA@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <200707171840.l6HIeg9M018099@fs4113.wdf.sap.corp> <48A6320349FD1EDBE937A357@dhcp-26f9.ietf69.org> <C4E819FF73EA6ED22A3906CD@446E7922C82D299DB29D899F>

Larry Zhu wrote on 7/26/07 9:31 -0700:

Chris Newman wrote:

TLS only provides certificate-based identity today, a mechanism
that is very different from other user identity services because it does not
require the TLS stack to perform a user identity network lookup in the middle
of the TLS handshake.  Doing that means the TLS stack suddenly has to
communicate problems talking to the identity lookup service through the TLS
stack and back to the application.


Reading what you are saying, I suspect you have somewhat misunderstood the
proposal and the GSS-API abstraction in general.

That's entirely possible, which is why I wanted to engage in this debate before something arrives in front of the IESG and I have to make a decision. As applications area director, I have to invest time to learn how important infrastructure proposals are likely to impact Internet applications in general, but I have no illusions of being a security expert (rather I'm an application expert with a focus on security technology). This issue is too important for me to decide alone, so I'm asking for help from the community to consider these issues.

Unfortunately I am on my way home. Thanks for the delay in the airport I am
still phyiscally in Chicago.

I wish you a safe flight home. FYI, I very much appreciate your participation in the IETF process. Technical debate is messy but when the parties involved all want the best possible outcome for the Internet, it is worth the effort.

I do want to see Kerberos, TLS and applications such as HTTP, SMTP, IMAP, POP combined in a way that is most likely to be widely deployed by multiple vendors.

I would suggest for you to talk with Sam Hartman

I will certainly do that. However, I recommend you talk to application developers who consume TLS and GSSAPI/SSPI/SASL/EAP APIs to see how they feel about these issues.

               - Chris


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Jeffrey Altman

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Martin Rex
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Chris Newman
- RE: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Chris Newman
- RE: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Larry Zhu

Prev by Date: [TLS] Re: the use cases for GSS-based TLS and the plea for integrating
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Previous by thread: RE: [TLS] the use cases for GSS-based TLS and the plea for integrating
Next by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Index(es):
- Date
- Thread

RE: [TLS] the use cases for GSS-based TLS and the plea for integrating

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.