[AFS3-std] New version of rxgk draft

Simon Wilkinson simon@sxw.org.uk
Sat, 10 Dec 2011 13:28:30 +0000 

On 8 Dec 2011, at 23:55, Russ Allbery wrote:

> The enum RXGK_Level doesn't include the value for Bind, even though =
one
> has been assigned.  Is that intentional?

That's an oversight, it'll be fixed in the next document

> Section 5:
>=20
> I think that should be "by decrypting the information," correct?

Yes - fixed

> There's no way to convey the minor GSS-API status back to the client?
> With Kerberos GSS-API negotiations, that often contains very useful
> information; the major status is usually basically useless.

That's correct, there's currently no way of returning minor status =
information. This is where it gets interesting, as there's no guarantee =
that minor status be portable between arbitrary GSSAPI implementations =
(so you can't feed one implementation's minor_status into another =
implementation's display_error and get the right results). Whilst =
RFC4121 specifies a standard set of textual identifiers for Kerberos =
minor_status, it doesn't specify numeric identifiers.

> expiration in the RXGK_ClientInfo struct doesn't use the time format
> defined elsewhere as the rxgk time format? =20

That's an oversight - fixed to use rxgkTime
>=20
> In 8.3, what's the rx epoch?  Is that an rx concept that we're just =
using
> under the assumption that readers are already familiar with rx?

Yes. Sadly there isn't a good reference document describing RX - the =
best source at present seems to be =
http://web.mit.edu/kolya/afs/rx/rx-spec, which Mike reformatted as an =
I-D back in 2009, although Mike's version no longer appears to be =
available. =46rom that document:
=09
	The connection epoch is a unique value chosen by Rx on startup =
and
	used by the peer to both to identify connections to this host, =
and
	to detect when this host's Rx restarts

I'll add a reference to this in the Introduction, as well as a reference =
to the XDR specification

> In 8.5, start_time here is also specified as the number of seconds =
since
> epoch, which is not the rxgk timestamp format defined earlier.

This was a late edit - the structure definition specifies it as =
rxgkTime, but the text still refers to it as seconds. Fixed.

> 8.6 talks about a version number of the rxgk challenge, but the =
challenge
> specified in 8.4 doesn't include a version field.

I've removed that text.

Thanks for the comprehensive review!

Cheers,

Simon.