Re: gss userauth

To: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Subject: Re: gss userauth
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Tue, 26 Aug 2003 14:20:35 -0700

On Tue, Aug 26, 2003 at 05:14:28PM -0400, Jeffrey Hutzelman wrote:
> On Tuesday, August 26, 2003 13:56:18 -0700 Nicolas Williams 
> <Nicolas.Williams%sun.com@localhost> wrote:
> 
> >>(2) Add an additional step in which the client is required to send a MIC
> >>of the session ID before authentication can succeed.  This is
> >>essentially the same as what we do in key exchange, but in the reverse
> >>direction.
> >
> >This MIC can be sent as soon as the context is GSS_C_PROT_READY, on
> >whichever side it's PROT_READY first.  Though, it may be easiest to fit
> >it into the last message from the client.
> 
> No; the direction actually matters.  A MIC sent from the server to the 
> client does not serve to bind the session to the client's identity, and 
> thus does not solve the problem we are trying to address.  

Sure it does.  If the client and server have established a GSS-API
security context then any MIC made with it will be bound to that
context and the initiator and/or acceptor names authenticated by the
context's establishment.

Cheers,

Nico
--

Follow-Ups:
- Re: gss userauth
  - From: Nicolas Williams

References:
- RE: gss userauth
  - From: Joseph Salowey
- RE: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Nicolas Williams
- Re: gss userauth
  - From: Jeffrey Hutzelman

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index