[20067] in Kerberos_V5_Development
Re: Current semantics for channel-bindings in GSSAPI
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Mon Mar 23 17:20:19 2020
MIME-Version: 1.0
In-Reply-To: <CAC-fF8S67=goQP_ccE_fWeiTtZQbzs96ZCBrX=EpMe6AAP1b_Q@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 23 Mar 2020 22:19:35 +0100
Message-ID: <CAC-fF8SXt53hoXJfsrPPxmy=TRs-nzhC1KvLWjw3OTaVB4eujw@mail.gmail.com>
To: Simo Sorce <simo@redhat.com>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sat, Mar 21, 2020 at 11:45 AM Isaac Boukris <iboukris@gmail.com> wrote:
>
> On Fri, Mar 20, 2020 at 10:19 PM Isaac Boukris <iboukris@gmail.com> wrote:
> >
> > BTW, it looks like both Heimdal/MIT do not handle the bindings in the
> > DCE style case, so we'd just not return channel-bound in that case.
>
> Actually, that seems wrong. I think the bindings are checked in the
> first leg of authentication, so perhaps we should keep the
> channel-bound flag on the context and return it by the end (although
> i'm not sure an outer channel is relevant).
Oh, the MIT code was already doing it, added tests for it.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
