RFC 4121 & acceptor subkey use in MIC token generation
Nico Williams
nico at cryptonector.com
Wed Oct 25 11:57:14 EDT 2023
On Wed, Oct 25, 2023 at 08:51:29AM -0400, Ken Hornstein wrote:
> I think we've lost the thread here; I do not think that any krb5
> mechanism today ever asserts PROT_READY before GSS_S_COMPLETE, but I
> would love to be proven wrong.
That's the whole point of being able to use the initiator sub-session
key: to allow the Kerberos GSS mechanism to assert PROT_READY on the
first call to GSS_Init_sec_context() even when mutual auth is requested.
Yes, RFC 4121 didn't say so, but it's the point.
Nico
--
More information about the Kerberos
mailing list