[Ietf-http-auth] Re: [SAML-mechanism] RE: as in SAML SASLMechanism?

Gerald Beuchelt Gerald.Beuchelt at Sun.COM
Wed Nov 16 07:13:25 PST 2005 

I agree and go along with your assesment. The reason I brought this up was that I would not like to see a SASL-only mechanism, but rather see a GSS SAML mechanism that can then be used with SAML. I guess we are on the same page here?




-----Original Message-----
From: Leif Johansson [mailto:leifj at it.su.se]
Sent: Wed 11/16/2005 9:32 AM
To: Gerald Beuchelt
Cc: ietf-http-auth at osafoundation.org
Subject: Re: [Ietf-http-auth] Re: [SAML-mechanism] RE: as in SAML SASLMechanism?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerald Beuchelt wrote:
> I definitively see your points for chosing SASL from a protcol perspective.
> 
> However, one of the reasons I prefer GSS over SASL is the fact that the
> Windows Security architecture uses SSPI. If we want to make adoption
> easy for that platform and encourage interoperability, GSS would
> probably a better choice.

Its actually not one or the other - GSS (at least GSS-SPNEGO and
GSS-KRB5) are already defined as SASL mechanisms. The SASL/GSS
debate is over frameworks, not mechanisms. My summary of the debate
is:

- - I claim that the benefit of SASL over GSS (as frameworks) is
  pretty slim. I base this on the availability of SASL mechs on
  standards track which isn't already covered by existing HTTP
  authentication mechanisms (BASIC, X509 and DIGEST-MD5).

- - Nico, jaltman et al claim that SASL is as good as anything
  else and that non-standards-track mechs have to be taken into
  account aswell.

I agree with Nico: *shrug* sure whatever....

Please note though that the Microsoft-issue is yet a separate
discussion.

When designing a new http authentication mechanism it is probably
a good idea to take existing deployments into account. This is my main
argument for going with Negotiate with cbindings over anonymous tls;
this approach probably has a better chance of beeing widely deployed
since it basically already is.

	Cheers Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.9 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDe0Mb8Jx8FtbMZncRAuxkAJ0WIP2e/rJhZ06UdBpx7hPLewz7RgCff8Hj
xlZfTdrNkTjv2KSJ8Xiw40M=
=ej5R
-----END PGP SIGNATURE-----



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osafoundation.org/pipermail/ietf-http-auth/attachments/20051116/2ce548c6/attachment.html

More information about the Ietf-http-auth mailing list