[38423] in Kerberos
Re: Kerberos n00b question.
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Jan 7 13:53:19 2019
From: Russ Allbery <eagle@eyrie.org>
To: Grant Taylor <gtaylor@tnetconsulting.net>
In-Reply-To: <38a2963c-3abe-22ce-1946-9be90c757c6d@spamtrap.tnetconsulting.net>
(Grant Taylor's message of "Mon, 7 Jan 2019 11:06:46 -0700")
Date: Mon, 7 Jan 2019 10:53:07 -0800
Message-ID: <87pnt8qoz0.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: Kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Grant Taylor <gtaylor@tnetconsulting.net> writes:
> On 01/07/2019 10:53 AM, Russ Allbery wrote:
>> The standard solution for this is FAST, which protects the initial
>> authentication against this attack. (You do need some other credential
>> to set up the FAST tunnel, but you can use anonymous Diffie-Hellman via
>> anonymous PKINIT, or you can use a randomized key.)
> Would you please expand (what I assume is) the FAST acronym? I expect
> that there will be quite a few phonetic collisions searching for "FAST".
I think it stands for Flexible and Secure Tunneling. It's defined in:
https://tools.ietf.org/html/rfc6113.html
The keywords "kerberos fast" in Google seem to turn up the right stuff
(rather more than I had expected; I like you was expecting that to be
drowned by performance stuff).
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
