Re: gss userauth

To: Joseph Galbraith <galb-list%vandyke.com@localhost>
Subject: Re: gss userauth
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Tue, 02 Sep 2003 23:02:10 -0400

> "Integrity MUST be specified as an input to gss_init_sec_context().
> If the resulting context supports integrity, the output of
> gss_getMic on <some data> must be included.  Otherwise the
> "mic" string MUST be empty.
>
> It is a site policy descision for the server whether or not
> to accept for authentication gss mechanisms that do not
> support integrity.  The server MAY fail the otherwise valid
> gssapi-with-mic authentication if integrity is not supported.

I like the general idea behind this proposal.

The only concern I have is that the language ought to specify that if
you're supporting some mechanisms that do integrity and some that
don't, you should not force the site policy to turn off the mic for
the mechanisms that do support integrity.  I'm not sure if gssapi
gives you a better way to do this than allowing this to be configured
on a per-mechanism basis.

References:
- Re: gss userauth
  - From: Joel N. Weber II
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Joseph Galbraith

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index