Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family
RFC 5801

[Ballot comment]
I am agreeing with Adrian's comment.

From SecDir review:

OLD:
  GS2 does not use any GSS-API per-message tokens.  Therefore the
  setting of req_flags related to per-message tokens is irrelevant.

NEW:
  GS2 does not use any GSS-API per-message tokens.  Therefore the
  per-message token ret_flags from GSS_Init_sec_context() and
  GSS_Accept_sec_context() are irrelevant; implementations SHOULD NOT
  set the per-message req_flags.


Nico has suggested to add:

    FLAG SERVER CB SUPPORT DISPOSITION
    ---- ----------------- -----------

    n Irrelevant If server disallows non-channel-
                                        bound authentication, then fail

    y CB not supported Authentication may succeed

    y CB supported Authentication must fail

    p CB supported Authentication may succeed, with
                                        CB used

    p CB not supported Authentication will fail

    CB not supported Client does not even try because
                                        it insists on CB

[Ballot comment]
Section 10.1 - nit
      OM_uint32 gss_inquire_saslname_for_mech(
        OM_uint32    *minor_status,
        const gss_OID  desired_mech,
        gss_buffer_t  sasl_mech_name,
        gss_buffer_t  mech_name,
        gss_buffer_t  mech_description,
      );
Superfluous comma after mech_description.

[Ballot discuss]
Discuss-Discuss

I had formed the opinion that we frowned upon the inclusion of URLs in
general and specifically those that might not be stable.

This document includes such a URL in the Abstract

I'd like to hear the opinions of other ADs about whether this is a good
idea before clearing during the telechat.

IANA questions/comments:


- Are you requesting that GS2-KRB5 and GS2-KRB5-PLUS be registered?

- Are you asking us to register SPNEGO somewhere?

Upon approval of this document, IANA will make the following
assignment in the "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL)
MECHANISMS" registry 1t
http://www.iana.org/assignments/sasl-mechanisms

MECHANISMS USAGE REFERENCE OWNER
---------- ----- --------- -----
GS2-* COMMON [RFC-ietf-sasl-gs2-17] iesg@ietf.org

Although the IETF last call doesn't end until 2009-11-18, I'm
hoping the authors submit a revised ID during the IETF week
to address the comments received at that point.

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

Alexey Melnikov  is the document shepherd
for this document.
The document is ready for publication.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

This document was reviewed by several active and experienced SASL WG members.
So there are no concerns about the depth of the reviews.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

No concerns.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

No specific concerns. No IPR disclosure was filed for this document.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

There is solid WG consensus behind the document.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)
No.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

idnits 2.11.14 was used to verify the document.
It reported 1 obsolete informational reference which is intentional.
(It also reported an outdated reference to draft-ietf-sasl-scram,
which can be fixed by RFC Editor.)

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

There is one downward normative reference in the document ([tls-unique])
that points to an IANA registration.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC2434]. If the
document describes an Expert Review process has Shepherd
conferred with the Responsible Area Director so that the IESG
can appoint the needed Expert during the IESG Evaluation?

IANA considerations section exists, it adds 4 SASL mechanism registrations,
as well as puts some restrictions on registrations ending with "-PLUS" or
starting with "GS2-".

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

ABNF in the document was verified by BAP. It reported no errors.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary
Relevant content can frequently be found in the abstract
and/or introduction of the document. If not, this may be
an indication that there are deficiencies in the abstract
or introduction.

This document describes how to use a Generic Security Service
Application Program Interface (GSS-API) mechanism in the the Simple
Authentication and Security Layer (SASL) framework. This is done by
defining a new SASL mechanism family, called GS2. This mechanism
family offers a number of improvements over the previous "SASL/
GSSAPI" mechanism: it is more general, uses fewer messages for the
authentication phase in some cases, and supports negotiable use of
channel binding. Only GSS-API mechanisms that support channel
binding are supported.


Working Group Summary
Was there anything in WG process that is worth noting? For
example, was there controversy about particular points or
were there decisions where the consensus was particularly
rough?

The document went through several redesign phases, which resulted in
drastic change in on the wire representation.
However it represents strong WG consensus.

There were significant and long discussions over channel binding type
negotiation.
After long considerations, it
was decided to leave channel binding type negotiation external to
GS2- and to provide a default of tls-unique. This simplify the
design and makes it easy to implement in popular configurations (i.e.,
together with TLS). I believe that today this has strong support in
the WG.

There was also a recent discussion about IANA registration procedure
for SASL mechanisms starting with GS2- prefix. The discussion resulted
in consensus that the document is correct as written.

Document Quality
Are there existing implementations of the protocol? Have a
significant number of vendors indicated their plan to
implement the specification? Are there any reviewers that
merit special mention as having done a thorough review,
e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If
there was a MIB Doctor, Media Type or other expert review,
what was its course (briefly)? In the case of a Media Type
review, on what date was the request posted?

At least a couple (both clients and server) implementations of the
document are planned.

Personnel
Who is the Document Shepherd for this document? Who is the
Responsible Area Director?

Alexey Melnikov  is the document shepherd
for this document.

  (1.a)  Who is the Document Shepherd for this document?  Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?

        Kurt Zeilenga
        Yes.

  (1.b)  Has the document had adequate review both from key WG members
          and from key non-WG members?  Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?

        Yes.  Yes.  As the SASL and GSSAPI communities are relatively small,
        I tend to have some concerns with any document produced by these
        communities.  However, though small, the communities level of
        expertise is strong and broad.

  (1.c)  Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization, or XML?

        The document would likely benefit from secdir and genart reviews.

  (1.d)  Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of?  For example, perhaps he
          or she is uncomfortable with certain parts of the document,
or
          has concerns whether there really is a need for it.  In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here.  Has an IPR disclosure related to this
document
          been filed?  If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.

        No.

  (1.e)  How solid is the WG consensus behind this document?  Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?

        Strong.

  (1.f)  Has anyone threatened an appeal or otherwise indicated
extreme
          discontent?  If so, please summarize the areas of conflict in
          separate email messages to the Responsible Area Director.
(It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)

        No.

  (1.g)  Has the Document Shepherd personally verified that the
          document satisfies all ID nits?  (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/.)  Boilerplate checks are
          not enough; this check needs to be thorough.  Has the
document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type, and URI type reviews?  If the document
          does not already indicate its intended status at the top of
          the first page, please indicate the intended status here.

        Yes.

  (1.h)  Has the document split its references into normative and
          informative?  Are there normative references to documents
that
          are not ready for advancement or are otherwise in an unclear
          state?  If such normative references exist, what is the
          strategy for their completion?  Are there normative
references
          that are downward references, as described in [RFC3967]?  If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].

        References are okay.

  (1.i)  Has the Document Shepherd verified that the document's IANA
          Considerations section exists and is consistent with the body
          of the document?  If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries?  Are the IANA registries clearly identified?  If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations?  Does it suggest a
          reasonable name for the new registry?  See [RFC2434].  If the
          document describes an Expert Review process, has the Document
          Shepherd conferred with the Responsible Area Director so that
          the IESG can appoint the needed Expert during IESG
Evaluation?

        IANA considerations section is okay.

        Registration of GS2- does requires expert review.  I'm willing to serve
        as the expert.

  (1.j)  Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?

        N/A

  (1.k)  The IESG approval announcement includes a Document
          Announcement Write-Up.  Please provide such a Document
          Announcement Write-Up.  Recent examples can be found in the
          "Action" announcements for approved documents.  The approval
          announcement contains the following sections:

          Technical Summary
                This document describes how to use GSS-API mechanisms
                in SASL.  The document specifies a family of SASL
                mechanisms, GS2, which each GSS-API is mapped into.
                The mechanisms of the GS2 family replace previously
                defined SASL mechanisms for particular GSS-API mechanisms,
                including the Kerberos V "GSSAPI" mechanism.

          Working Group Summary
                The SASL WG has strong consensus that the GS2 is the
                right approach moving forward.  The WG worked closely
                with members of the GSS-API and Kerberos communities
                to ensure the approach is technically sound.

          Document Quality
                Multiple vendors have indicated they plan to implement
                this specification.  The document has been reviewed by
                lead developers for commonly used SASL framework products.

          Personnel
                Shepherd: Kurt Zeilenga
                Responsible AD: Sam Hartman

                IANA expert required for registration of GS2-*.  I am
                willing to serve as the expert.