I should have mentioned NPN and ALPN too.
A TLS application could use ALPN to negotiate the use of a variant of
the real application protocol, with the variant starting with a
channel-bound GSS context token exchange.
The ALPN approach can optimize the GSS mechanism negotiation, at the
price of a cartesian explosion of {app protocols} x {GSS mechs}. A
variant based on the same idea could avoid the cartesian explosion. But
hey, TLS is the land of cartesian explosions; when in Rome...
The ALPN approach would be my preference here. With TLS libraries
implementing the GSS context exchange, naturally. The result would be
roughly what you seem to have in mind.
If we ask TLS WG, I strongly suspect that we'll be asked to look at ALPN
first.
I should add that I also would like to see the RFC4121 Kerberos GSS
mechanism gain PFS, independently of TLS gaining GSS.
Nico
--
