[39272] in Kerberos
Re: RFC 4121 & acceptor subkey use in MIC token generation
daemon@ATHENA.MIT.EDU (Nico Williams)
Wed Oct 25 11:59:29 2023
Date: Wed, 25 Oct 2023 10:57:14 -0500
From: Nico Williams <nico@cryptonector.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Message-ID: <ZTk62q0DIAZmW0eL@ubby21>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Oct 25, 2023 at 08:51:29AM -0400, Ken Hornstein wrote:
> I think we've lost the thread here; I do not think that any krb5
> mechanism today ever asserts PROT_READY before GSS_S_COMPLETE, but I
> would love to be proven wrong.
That's the whole point of being able to use the initiator sub-session
key: to allow the Kerberos GSS mechanism to assert PROT_READY on the
first call to GSS_Init_sec_context() even when mutual auth is requested.
Yes, RFC 4121 didn't say so, but it's the point.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
