Re: gss userauth

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: gss userauth
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Wed, 27 Aug 2003 12:42:51 -0400

> Why are you uncomfortable with GSS channel bindings?  We know that they
> work, from experience, where they are supported.  The lack of support
> for channel bindings across the board is definitely one good reason to
> be uncomfortable with using that facility to tackle this problem.

So, is there any deployed software anywhere that uses GSS channel
bindings with krb5 gssapi?  Or with gsi gssapi?  If so, is there more
than one independent implementation with demonstrated
interoperability?

I strongly believe we should pick an approach that involves the use of
a MIC.

And I also don't see that channel bindings really buy us anything.
There are ways to do a MIC that will allow an old client to
interoperate with a new server, and vice versa.  Do channel bindings
ever allow the problems to be solved without upgrading both the client
and server?

Follow-Ups:
- Re: gss userauth
  - From: Nicolas Williams
- Re: gss userauth
  - From: Joel N. Weber II

References:
- draft minutes from IETF57 secure shell meeting.
  - From: Bill Sommerfeld
- gss userauth
  - From: Love
- Re: gss userauth
  - From: Love Hörnquist Åstrand
- Re: gss userauth
  - From: Sam Hartman
- Re: gss userauth
  - From: Love
- Re: gss userauth
  - From: Sam Hartman
- Re: gss userauth
  - From: Nicolas Williams

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index