IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: gss userauth



> I've pointed out this to the authors privatly, so I'll repeat this
> publicly. I consider gss userauth to be broken since it doesn't verify the
> session id (using either mic or a channel bindings (like in CCM)).

I'd not previously realized this, having not read that section of the
gss spec, but that does appear to me to be true, and I do agree that
it is something that should be fixed.

(I'm sending this message primarily because my understanding is that
``me toos'' are useful in determining what the working group consensus
is.)






Home | Main Index | Thread Index | Old Index