will Sequence protection (GSS_C_SEQUENCE_FLAG)cover replay protection (GSS_C_REPLAY_FLAG) as well or are there cases were I need both ? Thanks Markus On Wed, 18 Aug 2004 15:42 , Ken Raeburn sent: >On Aug 18, 2004, at 06:52, Markus Moeller wrote: >> If I want to secure a connection between a client and a server with >> gssapi. I >> have to cut the data into blocks to fit into the buffers used by >> gss_wrap and >> gss_unwrap. Is there any check that these blocks are send in the right >> order and >> not tampered with. As far as I understand it each block is protected, >> but not the >> sequence of the blocks. >> >> Does this mean gssapi encryption on connections is flawed ? > >No, GSSAPI mechanisms can provide sequencing checks, although they >aren't required to. (Kerberos can provide it.) Look at the req_flags >and ret_flags arguments to gss_init_sec_context. > >Ken > -- Markus Moeller