Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family
draft-ietf-sasl-gs2-20

Yes

(Pasi Eronen)

No Objection

(Adrian Farrel)

(Cullen Jennings)

(Dan Romascanu)

(Jari Arkko)

(Lisa Dusseault)

(Magnus Westerlund)

(Ralph Droms)

(Robert Sparks)

(Ron Bonica)

(Ross Callon)

(Russ Housley)

(Tim Polk)

Recuse

(Alexey Melnikov)

Note: This ballot was opened for revision 20 and is now closed.

Pasi Eronen Former IESG member

Yes

Yes () Unknown

Adrian Farrel Former IESG member

(was Discuss) No Objection

No Objection (2009-11-27) Unknown

Section 10.1 - nit
      OM_uint32 gss_inquire_saslname_for_mech(
        OM_uint32     *minor_status,
        const gss_OID  desired_mech,
        gss_buffer_t   sasl_mech_name,
        gss_buffer_t   mech_name,
        gss_buffer_t   mech_description,
      );
Superfluous comma after mech_description.

Cullen Jennings Former IESG member

No Objection

No Objection () Unknown

Dan Romascanu Former IESG member

No Objection

No Objection () Unknown

Jari Arkko Former IESG member

No Objection

No Objection () Unknown

Lisa Dusseault Former IESG member

No Objection

No Objection () Unknown

Magnus Westerlund Former IESG member

No Objection

No Objection () Unknown

Ralph Droms Former IESG member

No Objection

No Objection (2009-11-30) Unknown

Nits:

The third para of the Introduction, s/The "Kerberos/the "Kerberos/

Section 3.2, s/obliterate/eliminates/

Section 5.1, s/takes a/take a/

Robert Sparks Former IESG member

No Objection

No Objection (2009-12-01) Unknown

Is [tls-unique] pointing to the IANA registry? If so, could it include a link?

Ron Bonica Former IESG member

No Objection

No Objection () Unknown

Ross Callon Former IESG member

No Objection

No Objection () Unknown

Russ Housley Former IESG member

No Objection

No Objection (2009-12-02) Unknown

  Several editorial improvements were suggested in the Gen-ART Review
  by Spencer Dawkins.  Please consider them.

Tim Polk Former IESG member

No Objection

No Objection () Unknown

Alexey Melnikov Former IESG member

Recuse

Recuse (2009-12-02) Unknown

I am agreeing with Adrian's comment.

From SecDir review:

OLD:
   GS2 does not use any GSS-API per-message tokens.  Therefore the
   setting of req_flags related to per-message tokens is irrelevant.

NEW:
   GS2 does not use any GSS-API per-message tokens.  Therefore the
   per-message token ret_flags from GSS_Init_sec_context() and
   GSS_Accept_sec_context() are irrelevant; implementations SHOULD NOT
   set the per-message req_flags.


Nico has suggested to add:

    FLAG	SERVER CB SUPPORT	DISPOSITION
    ----	-----------------	-----------

    n		Irrelevant		If server disallows non-channel-
                                        bound authentication, then fail

    y		CB not supported	Authentication may succeed

    y		CB supported		Authentication must fail

    p		CB supported		Authentication may succeed, with
                                        CB used

    p		CB not supported	Authentication will fail

    <none>	CB not supported	Client does not even try because
                                        it insists on CB

Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family draft-ietf-sasl-gs2-20

Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family
draft-ietf-sasl-gs2-20