Re: gss userauth

To: Love <lha%stacken.kth.se@localhost>
Subject: Re: gss userauth
From: Sam Hartman <hartmans%mit.edu@localhost>
Date: Wed, 27 Aug 2003 13:16:29 -0400

>>>>> "Love" == Love  <lha%stacken.kth.se@localhost> writes:

    Love> Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

    >>> It could do that.  I wonder if it would work.  I am
    >>> sufficiently uncomfortable with GSS channel bindings to
    >>> refrain from recommending their use until CCM becomes much
    >>> more mature.
    >>  Why are you uncomfortable with GSS channel bindings?  We know
    >> that they work, from experience, where they are supported.  The
    >> lack of support for channel bindings across the board is
    >> definitely one good reason to be uncomfortable with using that
    >> facility to tackle this problem.

    Love> How about adding a boolean flag to the gss exchange that the
    Love> client sets to tell the server it used bindings.

    Love> This way we don't need require channel bindings today. And
    Love> servers can be configured to accept gss exchange that
    Love> doesn't support integrity but channel binding.

We can do anything we can get with channel bindings with a MIC.  Why
are we going down the channel bindings rathole?

References:
- draft minutes from IETF57 secure shell meeting.
  - From: Bill Sommerfeld
- gss userauth
  - From: Love
- Re: gss userauth
  - From: Love Hörnquist Åstrand
- Re: gss userauth
  - From: Sam Hartman
- Re: gss userauth
  - From: Love
- Re: gss userauth
  - From: Sam Hartman
- Re: gss userauth
  - From: Nicolas Williams
- Re: gss userauth
  - From: Love

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index