Channel Bindings questions
lzhu at windows.microsoft.com
Wed Jun 9 19:22:23 EDT 2004
thanks. this sounds terrific.
From: Sam Hartman [mailto:hartmans at mit.edu]
Sent: Wednesday, June 09, 2004 4:00 PM
To: Liqiang(Larry) Zhu
Cc: krbdev at mit.edu
Subject: Re: Channel Bindings questions
>>>>> "Larry" == Liqiang(Larry) Zhu <lzhu at windows.microsoft.com> writes:
Larry> Folks, can you comment on the following findings by one of
Larry> our customers.
The assertion that channel bindings are useless is false. Remember they
are authenticated; the server knows whether a client intended to include
However I agree that the MIT behavior is wrong; see bug #2591 at
http://krbdev.mit.edu/rt/ (login guest, password guest).
Here's a description of the bug:
Based on discussion on kerberos at mit.edu, the decision to allow null
channel bindings from a client to match even when server channel
bindings are supplied is flawed. This decision assumes that we cannot
get server implementations to change even though we are able to deploy a
new Kerberos implementation on the server. In practice the server
implementations in question have actually changed and so the only part
of revision 1.54 of accept_sec_context.c we actually need is the code to
ignore channel bindings if null channel bindings are passed into the
server. Thus the change to allow null channel bindings from the client
to match against any channel bindings on the server is backed out.
More information about the krbdev