password change protocol implementation

Nicolas Williams Nicolas.Williams at
Tue Feb 17 15:44:47 EST 2004

On Tue, Feb 17, 2004 at 03:08:14PM -0500, Sam Hartman wrote:
> >>>>> "Ken" == Ken Hornstein <kenh at> writes:
>     >>> >I'm actually not sure whether krb5_rd_cred should accept
>     >>> directional >addresses; I believe clarifications speaks to
>     >>> this but don't remember >what it says.
>     >>> 
>     >>> Hm, would a directional address even have any meaning for a
>     >>> KRB_CRED?
>     >>  Maybe it could in user2user scenarios...
>     Ken> Hm ... maybe, I guess if you're forwarding your credentials
>     Ken> to another user and the application protocol permits either
>     Ken> end to forward credentials ...  although I wonder what a
>     Ken> reflection attack would actually do in this scenario.
> The spec claims we don't care about reflection attacks for krb_cred.
> I just forget whether you are permitted to use directional addresses.
> Actually, 7.1 is rather unclear on krb_cred.  Sigh.

Then one obvious conclusion is that s-address/r-address in KRB-CRED are
to be ignored by receipients, if present, and not sent by senders.


More information about the krbdev mailing list