password change protocol implementation
Nicolas.Williams at sun.com
Tue Feb 17 15:44:47 EST 2004
On Tue, Feb 17, 2004 at 03:08:14PM -0500, Sam Hartman wrote:
> >>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> >>> >I'm actually not sure whether krb5_rd_cred should accept
> >>> directional >addresses; I believe clarifications speaks to
> >>> this but don't remember >what it says.
> >>> Hm, would a directional address even have any meaning for a
> >>> KRB_CRED?
> >> Maybe it could in user2user scenarios...
> Ken> Hm ... maybe, I guess if you're forwarding your credentials
> Ken> to another user and the application protocol permits either
> Ken> end to forward credentials ... although I wonder what a
> Ken> reflection attack would actually do in this scenario.
> The spec claims we don't care about reflection attacks for krb_cred.
> I just forget whether you are permitted to use directional addresses.
> Actually, 7.1 is rather unclear on krb_cred. Sigh.
Then one obvious conclusion is that s-address/r-address in KRB-CRED are
to be ignored by receipients, if present, and not sent by senders.
More information about the krbdev