Updated version of "X.509 Authentication SASL Mechanism

[Steve Kille <S.Kille@isode.com>]

I have handled all of the comments recevied, and will send an updated
draft in the next message.   Dependent on comments received on this
version, I will be asking the WG chairs to issue a WG last call on
this document.  

Most of the input has led to straightforward updates.  I have changed
the mechanism definition to included the algorithm.  I believe this is
a significant improvement, and fits in with the spirit of SASL.

Sean Turner gave a number of useful inputs, and I have basically taken
these to align the specification to X.509 (97).

Two comments.

1) I have not changed the definition of Time as Sean suggests.  I
prefer to retain X.509 compatibility (unless there are some updates I
am not aware of).   Although there is technically a Y2K issue here,  I
cannot see how this extra complexity will help in any real
situations.   Certificates will not be given lifetimes of order 100
years, and the concept of a centenial replay attack seems daft in any
event. (I'm probably going to get roasted here).

2) I added the "generation-time" field, and Sean questioned its use.
This time information is allowed in the general X.509 framework,
althoug X.500 does not use it.  It seems to me that the party doing
the authentication may have a policy on timeouts, and so this field
may be useful in addition to the "time" field which is set according
to the policy of the party being authenticated.  I'd appreciate input
on this.


Steve Kille