- From: Nico Williams <nico@cryptonector.com>
- Date: Fri, 13 Jul 2012 00:16:56 -0500
- To: Paul Hoffman <paul.hoffman@gmail.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Thu, Jul 12, 2012 at 9:22 PM, Paul Hoffman <paul.hoffman@gmail.com> wrote: > draft-williams-rest-gss relies on GSSAPI, which has thin adoption even > after many years. [...] If you consider that the SSPI is very similar to the GSS-API, and wire-compatible with it anyways, then that assertion is quite clearly incorrect. SSPI is extremely widely used, both in proprietary application protocols and standard ones (including TLS, since SSPI is the interface to TLS in Windows). The GSS-API has had a dearth of mechanisms for it deployed, but this is beginning to change. We now have all of these standardized and/or deployed: - Kerberos (including IAKERB) - GSS-EAP (see ABFAB WG) - SCRAM - Microsoft's PKU2U (PKI, based on Kerberos w/ PKINIT) - the GSI mechanism that is really just TLS repackaged as GSS (See again how SSPI is the interface to TLS in Windows. It's also the interface to SASL.) - OAuth and SAML-based mechanisms are in the works as well. It's easy enough to add new GSS-API mechanisms, but between GSS-EAP, Kerberos (particularly with trust routing and bootstrapping enhancements), PKU2U, OAuth, and SAML I think we have most needs covered. A ZKPP mechanism or three should be added, but unless that's done in a way that federates then I think it's best to make sure that GSS-EAP can use ZKPP EAP methods and Kerberos can use ZKPP pre-authentication mechanisms. The biggest Internet protocol users of the GSS-API are SSHv2 (yes, really, SSHv2 w/ GSS and Kerberos is widely deployed in corporate networks), LDAP (see again Windows), and NFS. But also IMAP (see Exchange), DNS (GSS-TSIG, see Active Directory and Windows) and others. There's also widely deployed non-Internet standards-track protocols, such as SMB, as well as many proprietary protocols. And then there's HTTP/Negotiate -- how could I forget! (though to be sure I don't really like HTTP/Negotiate, otherwise I might just have proposed that.) Nico --
Received on Friday, 13 July 2012 05:17:20 UTC