[39291] in Kerberos
Re: RFC 4121 & acceptor subkey use in MIC token generation
daemon@ATHENA.MIT.EDU (Nico Williams)
Thu Oct 26 18:32:24 2023
Date: Thu, 26 Oct 2023 17:31:17 -0500
From: Nico Williams <nico@cryptonector.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
Message-ID: <ZTrotTB6UE2wI3Ik@ubby21>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CALF+FNzM=egHeLLcqnVJpNv5kzQ7dq1sONP3Ba18Q2av-5f54w@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Oct 26, 2023 at 06:26:18PM -0400, Jeffrey Hutzelman wrote:
> The gss-keyex userauth method is just an optimization; it prevents you
> having to actually run the GSSAPI exchange again after you've already used
> one of the GSSAPI-based keyex methods. The real win is in the GSSAPI-based
> keyex methods themselves, which are useful (and exist) because they avoid
> having to pick one of these:
>
> [...]
All true. But you forgot the other benefit: automatic re-delegation of
credentials prior to expiration.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
