[39519] in Kerberos
Re: IAKERB Starter Credentials Solution
daemon@ATHENA.MIT.EDU (Nico Williams)
Sun Apr 27 23:25:42 2025
Date: Sun, 27 Apr 2025 22:24:16 -0500
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <aA704GifClH8/uHo@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <fa4f4827-2be9-442f-b1d6-47bc871aa4fa@mit.edu>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sun, Apr 27, 2025 at 01:48:30AM -0400, Greg Hudson wrote:
> If the goal is simply to tunnel an AS/TGS exchange over https using a web
> server set up for that purpose, I think MS-KKDCP is a more natural fit than
> IAKERB. See:
That helps in this context mainly because the krb5 API has support for
prompting, whereas GSS does not. Well, and because the OS can use
MS-KKDCP out-of-band rather than the app having to use IAKERB in-band.
I think really what this means is that IAKERB for arquiring initial
credentials is mainly uninteresting.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
