Re: Last Call: 'The Kerberos V5 ("GSSAPI") SASL mechanism' to Proposed Standard (draft-ietf-sasl-gssapi)

I request consideration of the following changes prior to publication.

Page 4, first paragraph, please change:
   [...]  When calling the GSS_Init_sec_context the client
   MUST pass the integ_req_flag of TRUE.
to
   [...]  When calling the GSS_Init_sec_context the client
   SHOULD pass the integ_req_flag of TRUE.

Otherwise, publication of this document would have the effect of declaring 
existing deployed software to be non-compliant.  I agree that this change 
is desirable, but I disagree about retroactively declaring existing 
software broken.  If the WG feels strongly enough, it'd be alright to have 
something in the security considerations saying that earlier versions did 
not require the integ_req_flag, but all new implementations ought to have 
it and old implementations fixed.


Suggested changes (this is just cosmetic):

Page 5, second paragraph, change
   [...] chan_binding of NULL
to:
   [...] chan_binding of GSS_C_NO_CHANNEL_BINDINGS

Similarly for page 7 in the third paragraph of the Security 
Considerations.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.