[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL mechanism' to Proposed Standard (draft-ietf-sasl-gssapi) Mark Crispin Sat Sep 09 11:06:34 2006

I request consideration of the following changes prior to publication.

Page 4, first paragraph, please change:
   [...]  When calling the GSS_Init_sec_context the client
   MUST pass the integ_req_flag of TRUE.
   [...]  When calling the GSS_Init_sec_context the client
   SHOULD pass the integ_req_flag of TRUE.

Otherwise, publication of this document would have the effect of declaring existing deployed software to be non-compliant. I agree that this change is desirable, but I disagree about retroactively declaring existing software broken. If the WG feels strongly enough, it'd be alright to have something in the security considerations saying that earlier versions did not require the integ_req_flag, but all new implementations ought to have it and old implementations fixed.

Suggested changes (this is just cosmetic):

Page 5, second paragraph, change
   [...] chan_binding of NULL
   [...] chan_binding of GSS_C_NO_CHANNEL_BINDINGS

Similarly for page 7 in the third paragraph of the Security Considerations.

-- Mark --

Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.