Hi Josh,
Hi Alex,
Thanks for the update.
Changes include:
* Added motivation section indicating why this is required.
This is a definitely a good addition; however, I don't believe that it is
complete. Ideally I think it needs to consider the questions that I raised
previously in the context of the previous discussion that Sam initiated
about generic gss pre-auth versus gss-eap pre-auth:
What are the practical benefits of a generic gss pre-auth mechanism when
Kerberos pre-auth itself provides an extensible framework? I can see that
there is value in the re-using deployed gss mechanisms if this avoids
having to create functionally-equivalent but redundant pre-auth
mechanisms
in the case where an equivalent gss mechanism already exists, but are
there really so many of these that this is a compelling argument? It
sounds as though there is potentially a trade-off that we could make
between complexity and generality.
FWIW I haven't developed an opinion on these yet, but I would be
interested to hear if you have any...
since the principal final purpose of this draft (in conjunction with the
other one submitted to the ABFAB WG) is to enable the KDC to
authenticate users based on the GSS-EAP mechanism, I don't see any
advantage in transporting GSS tokens on top of FAST. It adds an
additional an unnecessary layer, since nor GSS-API nor EAP assume any
kind of secure transport.
Said that, the draft specifies that you can use it on top of FAST if
that is more convenient for your requirements, nothing precludes it.
Though, of course, that is not mandatory.
Besides, as I see it, this draft does follow the indications of the
pre-authentication framework to define new pre-authentication mechanism.
What it does not do is to define a FAST factor, but IMO those are
different things.
Hope this clarifies something.
Best regards,
Alejandro
Josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
