Support for Microsoft Set Password protocol
Nicolas Williams
Nicolas.Williams at sun.com
Wed Apr 2 11:24:04 EST 2003
On Wed, Apr 02, 2003 at 05:39:31PM +0200, Love wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
> > On Wed, Apr 02, 2003 at 05:13:23PM +0200, Love wrote:
> >> Why must the API depend on the protocol ?
> [....]
> > Perhaps the API should optionally allow the application to select a
> > single protocol version to use to avoid the downgrade attack.
>
> I think that the API should specify that type of security the client
> requests. Allow (pointless) downgrade attack, allow unauthenticated error
> messages, etc.
Well, with the caveat that KRB-ERROR is (for now) always authenticated
plaintext... Even with extensions there will be circumstances where
KRB-ERROR cannot be authenticated.
The fact that MIT's v1 server responds to version mismatches with a
KRB-ERROR rather than an AP-REP and KRB-PRIV does not help.
Therefore another caveat: allowing a downgrade and negotiating support
for major protocol versions other than 2 means pretty much the same
exact thing.
> Options for functionallity and security, not protocol type/version. Well, a
> selection protocol option could exists, but that should be needed to be
> specified.
Agreed. Have an optional parameter for specifying the major protocol
version/type or negotiability and let it default according to local/site
configuration.
Cheers,
Nico
--
More information about the krbdev
mailing list