Re: gss userauth

To: Markus Friedl <markus%openbsd.org@localhost>
Subject: Re: gss userauth
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Mon, 1 Sep 2003 23:50:16 -0400 (EDT)

On Mon, 1 Sep 2003, Markus Friedl wrote:

> On Tue, Aug 26, 2003 at 11:42:52PM -0400, Joel N. Weber II wrote:
> > I dislike the partial authentication approach.  I believe it adds
> > significant complexity to an implementation.
>
> I agree, not only because of the implementation complexity.
>
> I don't see a reason why this sould be considered a
> 'partial authentication'.  Why not treat this as two
> different methods and phase out the non-mic version
> instead of keeping the less secure version around forever?

Eliminating the non-mic version means eliminating any support for GSSAPI
mechanisms which are unable to provide integrity protection for
application messages (i.e. gss_GetMIC).  I think we already decided much
earlier in the development of this specification that we didn't want to do
that; are you suggesting we revisit that decision?

Also, inventing a new method doesn't eliminate the need for something like
gssapi-mic to be used in conjunction with GSSAPI-based key exchange.  Why
solve the same problem twice?

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+%cmu.edu@localhost>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

Follow-Ups:
- Re: gss userauth
  - From: Joel N. Weber II
- Re: gss userauth
  - From: Markus Friedl

References:
- Re: gss userauth
  - From: Markus Friedl

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index