IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: gss userauth



Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

>> It could do that.  I wonder if it would work.  I am sufficiently
>> uncomfortable with GSS channel bindings to refrain from recommending
>> their use until CCM becomes much more mature.
>
> Why are you uncomfortable with GSS channel bindings?  We know that they
> work, from experience, where they are supported.  The lack of support
> for channel bindings across the board is definitely one good reason to
> be uncomfortable with using that facility to tackle this problem.

How about adding a boolean flag to the gss exchange that the client sets to
tell the server it used bindings.

This way we don't need require channel bindings today. And servers can be
configured to accept gss exchange that doesn't support integrity but
channel binding.

There is the issue how the server tells the client it needs to use channel
bindings for that mech it just tried, but that I'm sure can be solved.

Love

Attachment: pgpiM6y6xYA6d.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index