Last Call Review of draft-ietf-kitten-rfc5653bis-05
review-ietf-kitten-rfc5653bis-05-secdir-lc-polk-2017-11-18-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready.

This document is a straightforward update of RFC 5653:

1. The draft modifies GSSException to support an embedded error token; as
specified in RFC 5653 a JGSS application throwing a GSSException could
not return an error token, a functional shortcoming in comparison with
the C bindings of GSS-API (see RFC 2744). The embedded error token
corrects this shortcoming. The document describes a compatibility strategy
for new JGSS programs that run with both RFC5653 and RFC5653bis Java
bindings.

2. The draft removes stream-based GSSContext methods.  These methods
cannot be implemented correctly where tokens have no self-framing or the
library has no knowledge of the token format.  The document states that
applications using input and output streams as the means to convey
authentication and per-message GSS-API tokens should also define the wire
protocol.  The reviewer infers that new applications using this design
strategy should be compatible with RFC5653 bindings, but that is not
explicitly stated.