RFC 4121 & acceptor subkey use in MIC token generation
Nico Williams
nico at cryptonector.com
Thu Oct 26 18:31:17 EDT 2023
On Thu, Oct 26, 2023 at 06:26:18PM -0400, Jeffrey Hutzelman wrote:
> The gss-keyex userauth method is just an optimization; it prevents you
> having to actually run the GSSAPI exchange again after you've already used
> one of the GSSAPI-based keyex methods. The real win is in the GSSAPI-based
> keyex methods themselves, which are useful (and exist) because they avoid
> having to pick one of these:
>
> [...]
All true. But you forgot the other benefit: automatic re-delegation of
credentials prior to expiration.
Nico
--
More information about the Kerberos
mailing list