[27763] in Kerberos
Re: A generic kerberizing project
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri May 11 10:58:53 2007
From: Sam Hartman <hartmans@mit.edu>
To: Pete Martin <krbdev@pnmartin.fsnet.co.uk>
mail-followups-to: kerberos@mit.edu
Date: Fri, 11 May 2007 10:58:41 -0400
In-Reply-To: <1178880413.11850.7.camel@galileo.lan> (Pete Martin's message of
"Fri, 11 May 2007 11:46:53 +0100")
Message-ID: <tslr6pnl84e.fsf@mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu, kerberos@mit.edu
Reply-To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi. This is definitely a misuse of the krbdev@mit.edu list; your
question probably should have gone to kerberos@mit.edu. I'll direct
replies there. However I want to point out a couple of things.
If you are just using Kerberos to secure network traffic without
modifying existing applications take a look at RFC 4430. That's
basically the protocol you are looking for between your two boxes.
However, the solution you propose has some significant security
problems. In brief, the problem is that you are having authentication
going on at multpile levels: the Kerberos level with your box and the
level presumably using weaker authentication in the application
itself.
There are a lot of tricky issues to consider when doing this.
Take a look at http://tools.ietf.org/internet-drafts/draft-williams-on-channel-binding and http://tools.ietf.org/internet-drafts/draft-ietf-btns-prob-and-applic for descriptions of some of the issues.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
