Re: gss userauth

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Aug 27, 2003 at 06:54:53PM +0200, Love wrote:
> 
> Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:
> 
> >> It could do that.  I wonder if it would work.  I am sufficiently
> >> uncomfortable with GSS channel bindings to refrain from recommending
> >> their use until CCM becomes much more mature.
> >
> > Why are you uncomfortable with GSS channel bindings?  We know that they
> > work, from experience, where they are supported.  The lack of support
> > for channel bindings across the board is definitely one good reason to
> > be uncomfortable with using that facility to tackle this problem.
> 
> How about adding a boolean flag to the gss exchange that the client sets to
> tell the server it used bindings.

If we were starting from scratch we could just require the use of
channel bindings and be done.  (One can always build a pseudo-mech that
supports channel bindings from one that does not but which does support
integrity protection).

As it is we can't introduce a channel bindings requirement, though we
could introduce CCM to negotiate the use channel bindings.  But even so
Jeff's latest proposal sounds much easier to implement (to me) and blah
blah blah (see my other posts today).

> This way we don't need require channel bindings today. And servers can be
> configured to accept gss exchange that doesn't support integrity but
> channel binding.
> 
> There is the issue how the server tells the client it needs to use channel
> bindings for that mech it just tried, but that I'm sure can be solved.

See CCM.  CCM is a proposed pseudo-mechanism that enables negotiation of
the use of channel bindings (it itself does not do the negotiation, but
it allows protocols that negotiate GSS-API mechanisms to negotiate the
use of channel bindings).

http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-ccm-01.txt

Nico
--