[Ietf-http-auth] Re: [SAML-mechanism] RE: as in SAML
Gerald.Beuchelt at Sun.COM
Wed Nov 16 07:13:25 PST 2005
I agree and go along with your assesment. The reason I brought this up was that I would not like to see a SASL-only mechanism, but rather see a GSS SAML mechanism that can then be used with SAML. I guess we are on the same page here?
From: Leif Johansson [mailto:leifj at it.su.se]
Sent: Wed 11/16/2005 9:32 AM
To: Gerald Beuchelt
Cc: ietf-http-auth at osafoundation.org
Subject: Re: [Ietf-http-auth] Re: [SAML-mechanism] RE: as in SAML SASLMechanism?
-----BEGIN PGP SIGNED MESSAGE-----
Gerald Beuchelt wrote:
> I definitively see your points for chosing SASL from a protcol perspective.
> However, one of the reasons I prefer GSS over SASL is the fact that the
> Windows Security architecture uses SSPI. If we want to make adoption
> easy for that platform and encourage interoperability, GSS would
> probably a better choice.
Its actually not one or the other - GSS (at least GSS-SPNEGO and
GSS-KRB5) are already defined as SASL mechanisms. The SASL/GSS
debate is over frameworks, not mechanisms. My summary of the debate
- - I claim that the benefit of SASL over GSS (as frameworks) is
pretty slim. I base this on the availability of SASL mechs on
standards track which isn't already covered by existing HTTP
authentication mechanisms (BASIC, X509 and DIGEST-MD5).
- - Nico, jaltman et al claim that SASL is as good as anything
else and that non-standards-track mechs have to be taken into
I agree with Nico: *shrug* sure whatever....
Please note though that the Microsoft-issue is yet a separate
When designing a new http authentication mechanism it is probably
a good idea to take existing deployments into account. This is my main
argument for going with Negotiate with cbindings over anonymous tls;
this approach probably has a better chance of beeing widely deployed
since it basically already is.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.9 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ietf-http-auth