[15932] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8656] Implement client optimistic SPAKE,

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Tue Apr 3 13:48:38 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8656@krbdev.mit.edu>
Message-ID: <rt-8656-48370.3.63924252046459@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8656'":;
Date: Tue,  3 Apr 2018 13:48:26 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

Optimistic SPAKE might not be completely safe in scenarios like the 
following: a KDC offers PKINIT and 1FA SPAKE for a principal, the 
former providing either a more convenient passwordless login experience 
or a more generous authentication indicator, the latter being a 
fallback option for devices that don't possess the client certificate.  
If the client does optimistic SPAKE, it won't learn about the KDC's 
offer of PKINIT, and will ask for the password and/or settle for not 
getting the PKINIT auth indicator.

So perhaps explicit configuration should be required for the client to 
use optimistic SPAKE.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post