RE: gss userauth

To: "'Joel N. Weber II'" <ietf-secsh%joelweber.com@localhost>, "'Love'" <lha%stacken.kth.se@localhost>
Subject: RE: gss userauth
From: "Joseph Salowey" <jsalowey%cisco.com@localhost>
Date: Fri, 22 Aug 2003 14:41:38 -0700

I'm in favor of using channel bindings for this purpose.  

CCM could be one approach to do this. 
http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-ccm-01.txt

At first glance it seems a little complex, but I need to actaully read
the spec.  

Joe



> -----Original Message-----
> From: ietf-ssh-owner%NetBSD.org@localhost 
> [mailto:ietf-ssh-owner%NetBSD.org@localhost] On Behalf Of Joel N. Weber II
> Sent: Friday, August 22, 2003 9:45 AM
> To: Love
> Cc: ietf-ssh%NetBSD.org@localhost
> Subject: Re: gss userauth
> 
> 
> > I've pointed out this to the authors privatly, so I'll repeat this 
> > publicly. I consider gss userauth to be broken since it 
> doesn't verify 
> > the session id (using either mic or a channel bindings 
> (like in CCM)).
> 
> I'd not previously realized this, having not read that 
> section of the gss spec, but that does appear to me to be 
> true, and I do agree that it is something that should be fixed.
> 
> (I'm sending this message primarily because my understanding 
> is that ``me toos'' are useful in determining what the 
> working group consensus
> is.)
> 
> 
>

Follow-Ups:
- RE: gss userauth
  - From: Jeffrey Hutzelman

References:
- Re: gss userauth
  - From: Joel N. Weber II

Prev by Date: Re: Re-using RSA1 keys as RSA
Next by Date: RE: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: RE: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index