Nicolas Williams wrote:
There is no such thing as GS1, it should be GSSAPI. Otherwise the new
text is Ok.
13.3. Additional Recommendations
If the application requires security layers then it MUST prefer the
SASL "GSSAPI" mechanism over "GS2-KRB5" or "GS2-KRB5-PLUS".
Spencer (minor): If "prefer the mechanism" is the right way to describe
this, I apologize, but I don't know what the MUST means in practice - if
this needs to be at MUST strength, I'd expect text like "MUST use X and
MUST NOT use Y or Z", or "MUST use X unless the server doesn't support X".
Agreed, we should express a MUST NOT instead of a MUST:
If a SASL application requires security layers then it MUST NOT use
GS2 mechanisms. Such an application SHOULD use a SASL mechanism that
does provide security layers, such as GS1 mechanisms.
Ietf mailing list