Re: gss userauth

To: Love <lha%stacken.kth.se@localhost>
Subject: Re: gss userauth
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Fri, 22 Aug 2003 12:45:24 -0400

> I've pointed out this to the authors privatly, so I'll repeat this
> publicly. I consider gss userauth to be broken since it doesn't verify the
> session id (using either mic or a channel bindings (like in CCM)).

I'd not previously realized this, having not read that section of the
gss spec, but that does appear to me to be true, and I do agree that
it is something that should be fixed.

(I'm sending this message primarily because my understanding is that
``me toos'' are useful in determining what the working group consensus
is.)

Follow-Ups:
- RE: gss userauth
  - From: Joseph Salowey

References:
- draft minutes from IETF57 secure shell meeting.
  - From: Bill Sommerfeld
- gss userauth
  - From: Love

Prev by Date: gss userauth
Next by Date: Re: Re-using RSA1 keys as RSA
Previous by Thread: gss userauth
Next by Thread: RE: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index