[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    Breaking GSS-API deadlock
From:       Ólafur Gudmundsson/DNSEXT co-chair <ogud () ogud ! com>
Date:       2003-02-28 13:45:45
[Download RAW message or body]


After consulting the working group, the consensus is strongly for
updating the GSS-API document to update RFC2845.

Authors are requested to issue a new version of the gss-api draft
with following changes based on the version draft that got posted to
the working group.

Abstract: State this document updates RFC2845

Add new section 2.2 that specifies the change to 2845, by allowing the
TSIG to be introduced in a explicitly specified place in multi
message exchange between two DNS entities.


Something along the lines:
>update Section 4.2 of RFC 2845
>(TSIG):
>Replace:
>"The server MUST not generate a signed response to an unsigned request."
>
>With:
>"The server MUST not generate a signed response to an unsigned request,
>except in case of response to client's unsigned TKEY query if secret key
>is established on server side after server processed client's query.
>Signing responses to unsigned TKEY queries MUST be explicitly specified
>in the description of an individual secret key establishment algorithm."


Add a new subsection (not sure where):
That specifies explicitly that in a [successful] GSS-API TKEY exchange
the LAST message from the server to client MAY/MUST be signed.
Highlight that this depends on the change to RFC2845 specified in section 2.2.

         Olafur







--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
[prev in list] [next in list] [prev in thread] [next in thread]