On Tuesday, September 02, 2003 13:08:30 -0400 "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost> wrote:
Jeff, could you please comment on what you don't like about my proposal to have a gssapi-mic method that does all of the messages gssapi currently does, followed by sending a mic, and then having a gssapi-keyex method that does a mic using the keyex context? I've sent two messages suggesting this before, but it's not at all clear that you've acknowleged that I've even proposed this; your reaction to
Er, sorry. Yes, of course I've seen this proposal. I think Markus is proposing essentially the same thing, and I assume it's the leading alternative to the gssapi-mic we've already discussed and specified (can you please use some other name; having two proposals which use the same method name is confusing).
I'm not convinced that what you describe is actually easier to implement correctly. It may be easier to do in the openssh server, because it doesn't require filling in whatever support for partial authentication is missing, but openssh is not the only implementation by any means. I'd like to hear from implementors other than you on this question.
I'm also not convinced that it's better than what we already have. The only real improvement seems to be that it doesn't require using partial authentication, which Markus finds distasteful. I've yet to see any argument as to _why_ using partial authentication is distasteful.
My argument at this point boils down to not wanting to create unnecessary extra work for implementors. If the other implementors who have been involved in this discussion don't think this is a problem, then I'll drop my objections. Note that it will still take me a couple of days to work up a revised version of the draft...
... Markus got into a tangent about SSH_MSG_UNIMPLEMENTED, which you don't need to get right in order for my proposal to work; and it also gets
Yes; that was in relation to a much earlier proposal which I don't think I even mentioned on this list, except as a reaction to Markus's comments today. The gssapi-mic method doesn't require any particular behaviour with respect to unimplemented messages.
-- Jeff