Re: Comment on draft-ietf-secsh-gsskeyex-06

[Simon Josefsson <simon+ietf-ssh%josefsson.org@localhost>]

(Sorry for the delay, vacation time.)

Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

> On Sun, 6 Jul 2003, Simon Josefsson wrote:
>
>> The document says:
>>
>>    The client SHOULD NOT send more then one gssapi mechanism OID unless
>>    there are no non-GSSAPI authentication methods between the GSSAPI
>>    mechanisms in the order of preference, otherwise, authentication
>>    methods may be executed out of order.
>>
>> Besides having four (!) negations, I think some hints on how different
>> GSSAPI mechanisms should be handled instead would be useful.  E.g.:
>>
>>    The client SHOULD send more than one mechanism OIDs only when all
>>    of the mechanisms are of the same priority, compared to non-GSSAPI
>>    authentication methods.  Otherwise, authentication methods may be
>>    executed out of order.  Thus, the client could first send a
>>    SSH_MSG_USERAUTH_REQUEST for one GSSAPI mechanism, then try public
>>    key authentication, and then try another GSSAPI mechanism.
>
> I think we can do something along these lines, but not specifically the
> text you propose.  The problem is that SHOULD and SHOULD NOT are not
> exactly inverses.
>
> We say "you SHOULD NOT do X unless Y".  This makes a recommendation if Y
> is false, but none if Y is true.
>
> You say "you SHOULD do X if Y".  This makes a recommendation if Y is true,
> but none if Y is false.

You are right, my text isn't good.  Still, some improvement on that
paragraph probably wouldn't hurt.  The rather obvious intended
behaviour is currently easily lost in the complicated language.