[29037] in Kerberos
Re: Is "SPN advertisement" or well-known SPNs a security hole?
daemon@ATHENA.MIT.EDU (Todd Stecher)
Mon Jan 14 18:23:10 2008
Message-Id: <9602FAE2-578A-46A5-8DA9-01A23FAA7D6C@qwest.net>
From: Todd Stecher <tstecher@qwest.net>
To: Srinivas Kakde <srinivas.kakde@yahoo.com>
In-Reply-To: <422369.96913.qm@web46012.mail.sp1.yahoo.com>
Mime-Version: 1.0 (Apple Message framework v915)
Date: Mon, 14 Jan 2008 14:36:31 -0800
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Once you go down that route (e.g. allowing SPNEGO to specify service
principal), you no longer have mutual auth, because you no longer are
connecting to precisely the server the client / client application
specified. You could be talking w/ whomever intercepted that traffic,
and returned their SPN.
On Jan 14, 2008, at 1:57 PM, Srinivas Kakde wrote:
>
> This message says: From a security standpoint, allowing the server
> to specify its
> service principal is a "bad idea".
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
