[prev in list] [next in list] [prev in thread] [next in thread]
List: namedroppers
Subject: Breaking GSS-API deadlock
From: Ólafur Gudmundsson/DNSEXT co-chair <ogud () ogud ! com>
Date: 2003-02-28 13:45:45
[Download RAW message or body]
After consulting the working group, the consensus is strongly for
updating the GSS-API document to update RFC2845.
Authors are requested to issue a new version of the gss-api draft
with following changes based on the version draft that got posted to
the working group.
Abstract: State this document updates RFC2845
Add new section 2.2 that specifies the change to 2845, by allowing the
TSIG to be introduced in a explicitly specified place in multi
message exchange between two DNS entities.
Something along the lines:
>update Section 4.2 of RFC 2845
>(TSIG):
>Replace:
>"The server MUST not generate a signed response to an unsigned request."
>
>With:
>"The server MUST not generate a signed response to an unsigned request,
>except in case of response to client's unsigned TKEY query if secret key
>is established on server side after server processed client's query.
>Signing responses to unsigned TKEY queries MUST be explicitly specified
>in the description of an individual secret key establishment algorithm."
Add a new subsection (not sure where):
That specifies explicitly that in a [successful] GSS-API TKEY exchange
the LAST message from the server to client MAY/MUST be signed.
Highlight that this depends on the change to RFC2845 specified in section 2.2.
Olafur
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic