Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

To: Leif Johansson <leifj at it.su.se>
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
From: Chris Newman <Chris.Newman at Sun.COM>
Date: Fri, 27 Jul 2007 08:50:17 -0500
Cc: tls at ietf.org
In-reply-to: <46A8FD4F.7050203@it.su.se>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <200707171840.l6HIeg9M018099@fs4113.wdf.sap.corp> <48A6320349FD1EDBE937A357@dhcp-26f9.ietf69.org> <C4E819FF73EA6ED22A3906CD@446E7922C82D299DB29D899F> <46A8FD4F.7050203@it.su.se>

Leif Johansson wrote on 7/26/07 22:00 +0200:

I'd agree that implementers only want to integrate one security
services layer. But some implementers want their security services
layer and identity stack to be as cleanly separated as possible so a
tight binding between the two is not desirable.  TLS only provides
certificate-based identity today, a mechanism that is very different
from other user identity services because it does not require the TLS
stack to perform a user identity network lookup in the middle of the
TLS handshake.  Doing that means the TLS stack suddenly has to
communicate problems talking to the identity lookup service through
the TLS stack and back to the application.

Username+password has the same property right?


Yes.

Would you support a password-based scheme inside TLS or

Most schemes that embed user authentication in the TLS state machine have similar issues. Since GSSAPI is a framework for authentication mechanisms in general, it inherits the superset of all authentication-identity-related issues.

would you support removing authentication from TLS entierly?

No. Server certificate authentication is useful in practice as part of today's interim solution to authentication despite certain dubious qualities. As client certificate authentication is a rarely used feature of TLS, it's questionable whether it should have been included in the original design. However, given that the mechanism has deployed well in implementations and is actually used in some enclaves, it would be far too disruptive to change now. Client certificates are also less problematic because the identity service lookup can be deferred to the application layer using a mechanism such as SASL EXTERNAL or IMAP "* PREAUTH".

               - Chris


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Kemp, David P.

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Martin Rex
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Chris Newman
- RE: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Chris Newman
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Leif Johansson

Prev by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Previous by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Next by thread: RE: [TLS] the use cases for GSS-based TLS and the plea for integrating
Index(es):
- Date
- Thread

Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.