Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family
RFC 5801

Note: This ballot was opened for revision 20 and is now closed.

(Pasi Eronen) Yes

(Jari Arkko) No Objection

(Ron Bonica) No Objection

(Ross Callon) No Objection

(Ralph Droms) No Objection

Comment (2009-11-30 for -)
No email
send info
Nits:

The third para of the Introduction, s/The "Kerberos/the "Kerberos/

Section 3.2, s/obliterate/eliminates/

Section 5.1, s/takes a/take a/

(Lisa Dusseault) No Objection

(Adrian Farrel) (was Discuss) No Objection

Comment (2009-11-27)
No email
send info
Section 10.1 - nit
      OM_uint32 gss_inquire_saslname_for_mech(
        OM_uint32     *minor_status,
        const gss_OID  desired_mech,
        gss_buffer_t   sasl_mech_name,
        gss_buffer_t   mech_name,
        gss_buffer_t   mech_description,
      );
Superfluous comma after mech_description.

(Russ Housley) No Objection

Comment (2009-12-02 for -)
No email
send info
  Several editorial improvements were suggested in the Gen-ART Review
  by Spencer Dawkins.  Please consider them.

(Cullen Jennings) No Objection

(Tim Polk) No Objection

(Dan Romascanu) No Objection

(Robert Sparks) No Objection

Comment (2009-12-01 for -)
No email
send info
Is [tls-unique] pointing to the IANA registry? If so, could it include a link?

Magnus Westerlund No Objection

Alexey Melnikov Recuse

Comment (2009-12-02 for -)
No email
send info
I am agreeing with Adrian's comment.

From SecDir review:

OLD:
   GS2 does not use any GSS-API per-message tokens.  Therefore the
   setting of req_flags related to per-message tokens is irrelevant.

NEW:
   GS2 does not use any GSS-API per-message tokens.  Therefore the
   per-message token ret_flags from GSS_Init_sec_context() and
   GSS_Accept_sec_context() are irrelevant; implementations SHOULD NOT
   set the per-message req_flags.


Nico has suggested to add:

    FLAG	SERVER CB SUPPORT	DISPOSITION
    ----	-----------------	-----------

    n		Irrelevant		If server disallows non-channel-
                                        bound authentication, then fail

    y		CB not supported	Authentication may succeed

    y		CB supported		Authentication must fail

    p		CB supported		Authentication may succeed, with
                                        CB used

    p		CB not supported	Authentication will fail

    <none>	CB not supported	Client does not even try because
                                        it insists on CB