Reuse of GSSAPI Tokens

Matt Crawford crawdad at
Thu Jul 21 15:32:03 EDT 2005

On Jul 21, 2005, at 14:24, Jiva DeVoe wrote:

> It's just if I wanted to do init/accept/accept/accept that I can't do 
> it.

Think about it.

If you, the client, can use a given GSS token again, then I, the 
eavesdropper, can do the same.

I think you don't want that.

> C creates a token using *_init_* and gives it to A to access a 
> resource.

It may take several client/server exchanges to establish a context.  
What you seek is "credential delegation."

More information about the krbdev mailing list