Reuse of GSSAPI Tokens
Matt Crawford
crawdad at fnal.gov
Thu Jul 21 15:32:03 EDT 2005
On Jul 21, 2005, at 14:24, Jiva DeVoe wrote:
> It's just if I wanted to do init/accept/accept/accept that I can't do
> it.
Think about it.
If you, the client, can use a given GSS token again, then I, the
eavesdropper, can do the same.
I think you don't want that.
> C creates a token using *_init_* and gives it to A to access a
> resource.
It may take several client/server exchanges to establish a context.
What you seek is "credential delegation."
More information about the krbdev
mailing list