On Thu, Dec 03, 2009 at 07:02:53PM +0000, Alexey Melnikov wrote:
> Hi Nico,
>
> Nicolas Williams wrote:
>
> >>13.3. Additional Recommendations
> >>
> >> If the application requires security layers then it MUST prefer the
> >> SASL "GSSAPI" mechanism over "GS2-KRB5" or "GS2-KRB5-PLUS".
> >>
> >>Spencer (minor): If "prefer the mechanism" is the right way to describe
> >>this, I apologize, but I don't know what the MUST means in practice - if
> >>this needs to be at MUST strength, I'd expect text like "MUST use X and
> >>MUST NOT use Y or Z", or "MUST use X unless the server doesn't support X".
> >>
> >>
> >Agreed, we should express a MUST NOT instead of a MUST:
> >
> > If a SASL application requires security layers then it MUST NOT use
> > GS2 mechanisms. Such an application SHOULD use a SASL mechanism that
> > does provide security layers, such as GS1 mechanisms.
> >
> >
> There is no such thing as GS1, it should be GSSAPI. Otherwise the new
> text is Ok.
The I-D says:
The original
GSS-API->SASL mechanism bridge was specified by [RFC2222], now
[RFC4752]; we shall sometimes refer to the original bridge as GS1 in
this document.
I don't see anything wrong with that.
There's good reason, even, to want to use "GS1" to refer to RFC4572:
RFC2222/4572's use of "GSSAPI" to refer to the "Kerberos V5 GSS-API
mechanism" is wrong and confusing. Avoiding confusion is a good thing.
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf