The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism
draft-ietf-kitten-2478bis-05

[Ballot comment]
IESG has asked for a ban on protocols calling themselves "Simple"  - this is no doubt as
simple as it can be, but it's not simple.  So I know that this can't be renamed - it is
recycling, but I'm just registering that it would have been nice to be able to change
the S to Straightforward instead of Simple :)

[Ballot comment]
IESG has asked for a ban on protocols calling themselves "Simple"  - this is no doubt as
simple as it can be, but it's not simple.  I think it could be called the "Straightforward and
Protected Negotiation..."

[Ballot comment]
(from Spencer Dawkins, Gen-Art reviewer)

This document is basically ready for publication. It's also OK for me to say that it's a well-written document that makes sense to first-time readers.

I do have one comment.

There's a lot of text around "per-message integrity services" in this document - it's important enough to mention in the abstract - but this term wasn't precisely defined and I didn't see an obvious reference that it pointed to. It wasn't clear to me what the connection between "per-message integrity services" and MICs was - and I didn't see a reference for MICs, either. It may be that all of this is perfectly clear to security types, but I didn't "get it". A quick look at ftp://ftp.rfc-editor.org/in-notes/rfc2743.txt made me wonder if this should be the reference, but I'm not smart enough to know what the reference should be.

Tom Yu comments:

2478bis>        ContextFlags ::= BIT STRING {
2478bis>            delegFlag      (0),
2478bis>            mutualFlag      (1),
2478bis>            replayFlag      (2),
2478bis>            sequenceFlag    (3),
2478bis>            anonFlag        (4),
2478bis>            confFlag        (5),
2478bis>            integFlag      (6)
2478bis>        } (SIZE (32))

There should be additional text explaining that the size constraint
does not affect the DER requirement for the encoder to strip trailing
zero bits from the bit string, and that implementations should not
depend on receiving exactly 32 bits in an encoding.

Suggested text:

"The size constraint on the ContextFlags ASN.1 type only applies to
the abstract type.  The ASN.1 DER require that all trailing zero bits
be truncated from the encoding of a bit string type whose abstract
definition includes named bits.  Implementations should not expect to
receive exactly 32 bits in an encoding of ContextFlags."

1.a) Have the chairs personally reviewed this version of the
Internet
      Draft (ID), and in particular, do they believe this ID is
ready
      to forward to the IESG for publication?

The draft has been reviewed by the chair and I believe it is ready
for publication by the IESG.

1.b) Has the document had adequate review from both key WG members
      and key non-WG members?  Do you have any concerns about the
      depth or breadth of the reviews that have been performed?

The document has been reviewed and implemented by engineers from
Microsoft (Larry Zhu), Sun Microsystems (Wyllys Ingersoll), and
Heimdal (Love Hörnquist Ã…strand and Luke Howard).  There has
also been significant review and comment by Tom Yu, Martin Rex, Ken
Raeburn, Simon Spero, and Bill Sommerfeld.

1.c) Do you have concerns that the document needs more review from a
      particular (broader) perspective (e.g., security, operational
      complexity, someone familiar with AAA, etc.)?

No.

1.d) Do you have any specific concerns/issues with this document
that
      you believe the ADs and/or IESG should be aware of?  For
      example, perhaps you are uncomfortable with certain parts of
the
      document, or have concerns whether there really is a need for
      it.  In any event, if your issues have been discussed in the
WG
      and the WG has indicated it that it still wishes to advance
the
      document, detail those concerns in the write-up.

This document updates a proposed standard which is known to have
been implemented by a number of organizations which do not
participate in the IETF process.  The document which is being
replaced is ambiguous in several crucial areas.  This has resulted
in a variety of interoperability and security problems in the known
deployed implementations.  The working group has tried very hard to
provide security in the updated version while maintaining as much
backward compatibility as possible.  My one concern is that the
working group suspects that there are one or more implementations of
the original specification for which we do not have the ability to
verify that the proposed changes will be acceptable.  The working
group has done as much as is possible.  The only other option would
be to scrap GSS SPNEGO entirely but that would require a flag day
which the current participants of the working group insist must be
avoided.  The solution provided in this document does provide a high
degree of interoperability among implementations from the current
IETF participants.


1.e) How solid is the WG consensus behind this document? Does it
      represent the strong concurrence of a few individuals, with
      others being silent, or does the WG as a whole understand and
      agree with it?

The WG consensus behind this document is strong and represents the
opinions of all participating implementors of the specification.

1.f) Has anyone threatened an appeal or otherwise indicated extreme
      discontent?  If so, please summarise the areas of conflict in
      separate email to the Responsible Area Director.

No.

1.g) Have the chairs verified that the document adheres to all of
the
      ID nits? (see http://www.ietf.org/ID-Checklist.html).

Yes.

The ASN.1 provided in Appendix A parses successfully using 'asnpp'.

1.h) Is the document split into normative and informative
references?
      Are there normative references to IDs, where the IDs are not
      also ready for advancement or are otherwise in an unclear
state?
      (note here that the RFC editor will not publish an RFC with
      normative references to IDs, it will delay publication until
all
      such IDs are also ready for publication as RFCs.)

Yes.


Technical Summary:

This document specifies a negotiation mechanism for the Generic
Security Service Application Program Interface (GSS-API) which is
described in RFC 2743.

GSS-API peers can use this negotiation mechanism to choose from a
common set of security mechanisms.

If per-message integrity services are available on the established
mechanism context, then the negotiation is protected against an
attacker forcing the selection of a mechanism not desired by the
peers.

This mechanism replaces RFC 2478 in order to fix defects in that
specification and to describe how to inter-operate with
implementations of that specification commonly deployed on the
Internet.


Working Group Summary:

The Kitten working group participants can be partitioned into two
significant groups: those who worked on GSS API Version 2 Update 1
and the other products of the CAT WG; and those who did not.  The
viewpoints of these two groups differ because of their respective
experiences and the requirements they have for the resulting
protocols.  The greatest challenge in producing this document was
ensuring that each group talked with each other instead of at each
other.  Once this was accomplished, reaching consensus was time
consuming but it was not controvertial in any way.

At IETF 61, a team of implementors, the WG Chair, and the AD met
to validate the approach to providing security and backward
compatibility.  WGLC in December produced several issues which were
subsequently addressed on the mailing list with clear consensus.
It is the opinion of the chair that a second WGLC was not required.
Consensus was declared on the document on 4 March 2005.


Protocol Quality:

There are three existing implementations of the specified protocol
produced by Microsoft, Sun Microsystems and Heimdal although they
are not currently available to the public.  Testing has been
performed for backward compatibility and interoperability.  Testing
identified implementation defects but not protocol design problems.

A review of the document was conducted at the request of the
Security ADs by Bill Sommerfeld.