IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RE: gss userauth



I'm in favor of using channel bindings for this purpose.  

CCM could be one approach to do this. 
http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-ccm-01.txt

At first glance it seems a little complex, but I need to actaully read
the spec.  

Joe



> -----Original Message-----
> From: ietf-ssh-owner%NetBSD.org@localhost 
> [mailto:ietf-ssh-owner%NetBSD.org@localhost] On Behalf Of Joel N. Weber II
> Sent: Friday, August 22, 2003 9:45 AM
> To: Love
> Cc: ietf-ssh%NetBSD.org@localhost
> Subject: Re: gss userauth
> 
> 
> > I've pointed out this to the authors privatly, so I'll repeat this 
> > publicly. I consider gss userauth to be broken since it 
> doesn't verify 
> > the session id (using either mic or a channel bindings 
> (like in CCM)).
> 
> I'd not previously realized this, having not read that 
> section of the gss spec, but that does appear to me to be 
> true, and I do agree that it is something that should be fixed.
> 
> (I'm sending this message primarily because my understanding 
> is that ``me toos'' are useful in determining what the 
> working group consensus
> is.)
> 
> 
> 




Home | Main Index | Thread Index | Old Index