[email protected]
[Top] [All Lists]

Re: Gen-ART review of draft-ietf-sasl-gs2-18

Subject: Re: Gen-ART review of draft-ietf-sasl-gs2-18
From: Nicolas Williams
Date: Mon, 7 Dec 2009 10:32:51 -0600
On Mon, Dec 07, 2009 at 10:37:21AM +0000, Alexey Melnikov wrote:
> Nicolas Williams wrote:
> 
> >On Thu, Dec 03, 2009 at 07:02:53PM +0000, Alexey Melnikov wrote:  
> >
> >>Hi Nico,
> >>
> >>Nicolas Williams wrote:
> >>   
> >>
> >>>>13.3.  Additional Recommendations
> >>>>
> >>>>If the application requires security layers then it MUST prefer the
> >>>>SASL "GSSAPI" mechanism over "GS2-KRB5" or "GS2-KRB5-PLUS".
> >>>>
> >>>>Spencer (minor): If "prefer the mechanism" is the right way to describe 
> >>>>this, I apologize, but I don't know what the MUST means in practice - 
> >>>>if this needs to be at MUST strength, I'd expect text like "MUST use X 
> >>>>and MUST NOT use Y or Z", or "MUST use X unless the server doesn't 
> >>>>support X".
> >>>>       
> >>>>
> >>>Agreed, we should express a MUST NOT instead of a MUST:
> >>>
> >>>If a SASL application requires security layers then it MUST NOT use
> >>>GS2 mechanisms.  Such an application SHOULD use a SASL mechanism that
> >>>does provide security layers, such as GS1 mechanisms.
> >>>     
> >>>
> >>There is no such thing as GS1, it should be GSSAPI. Otherwise the new 
> >>text is Ok.
> >>   
> >>
> >The I-D says:
> >
> >                                                           The original
> >  GSS-API->SASL mechanism bridge was specified by [RFC2222], now
> >  [RFC4752]; we shall sometimes refer to the original bridge as GS1 in
> >  this document.
> >
> >I don't see anything wrong with that.
> >
> Very well. I forgot about that.
> 
> >There's good reason, even, to want to use "GS1" to refer to RFC4572:
> >RFC2222/4572's use of "GSSAPI" to refer to the "Kerberos V5 GSS-API
> >mechanism" is wrong and confusing.  Avoiding confusion is a good thing.
> > 
> >
> Personally I dislike unnecessary indirection, as it allows for extra 
> confusion as well. There is only 1 mechanism in GS1 family (ignoring 
> GSS-SPNEGO), it is called "GSSAPI". So I think the original text is 
> actually better, if we add a reference and change "prefer" to "use":
> 
>  If the application requires SASL security layers then it MUST use the
>  SASL "GSSAPI" mechanism [RFC4572] instead of "GS2-KRB5" or "GS2-KRB5-PLUS".
> 
> Opinions?

Well, how about adding a parenthetical to the current text after 'GS1'
saying "(i.e., "GSSAPI")"?
_______________________________________________
Ietf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>