A GSS-API Mechanism for the Extensible Authentication Protocol
RFC 7055

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: RFC Editor <rfc-editor@rfc-editor.org>,
    abfab mailing list <abfab@ietf.org>,
    abfab chair <abfab-chairs@tools.ietf.org>
Subject: Protocol Action: 'A GSS-API Mechanism for the Extensible Authentication Protocol' to Proposed Standard (draft-ietf-abfab-gss-eap-09.txt)

The IESG has approved the following document:
- 'A GSS-API Mechanism for the Extensible Authentication Protocol'
  (draft-ietf-abfab-gss-eap-09.txt) as Proposed Standard

This document is the product of the Application Bridging for Federated
Access Beyond web Working Group.

The IESG contact persons are Stephen Farrell and Sean Turner.

A URL of this Internet Draft is:
http://datatracker.ietf.org/doc/draft-ietf-abfab-gss-eap/


Technical Summary

  This document defines protocols, procedures, and conventions to be
  employed by peers implementing the Generic Security Service
  Application Program Interface (GSS-API) when using the EAP mechanism. 
  Through the GS2 family of mechanisms, these protocols also define how
  Simple Authentication and Security Layer (SASL, RFC 4422)
  applications use the Extensible Authentication Protocol.

Working Group Summary

  As "usual" with I-Ds with lots of technical content in the security
  area (especially true for GSS-related stuff) there are fewer reviews
  than one might want. This document is no better or worse than most
  in this respect. 

  Sam Hartman (an author) had this concern during IETF LC that I'd 
  like to check with the IESG to make sure we're ok with this document 
  progressing now:

   "EAP (RFC 3748) has a applicability statement  scoped very strictly 
    to network access. This document  provides a mechanism that falls 
    well outside that applicability statement and permits the use of EAP 
    for general application authentication.

    When ABFAB was chartered, there was a charter item to update 
    the EAP applicability statement. I think A number of people in the 
    room at the BOF, including myself, would have objected to the work 
    being chartered had that charter item not been present.

    I think that work is important because I believe there are a number of
    important concerns that apply to the use of EAP for authentication
    beyond network access that need to be documented.

    Unfortunately, the technical specification has gotten ahead of the
    applicability statement update.

    I'm OK with that provided that we're still firmly committed to an
    applicability statement update. As part of approving this document now,
    I want to confirm that we have consensus at least within the ABFAB
    working group and the IESG to do that update. If there is any doubt I'd 
    far prefer that this document be held until the applicability statement 
    catches up."

Document Quality

  There is one implementation (moonshot project) that spans multiple
  platforms. To our knowledge no other implementations exists or are
  planned. The one implementation has seen quite a bit of testing
  though expecially for the GSS-layer since lots of opensource
  applications have been modified to support ABFAB/GSS-EAP using 
  moonshot. 

Personnel

  Leif Johansson is sheparding (co-chair)
  Stephen Farrell (AD)