GSS-API and libkrb5 behavior for Anonymous tickets

Nicolas Williams Nicolas.Williams at
Tue Nov 3 12:05:29 EST 2009

On Tue, Nov 03, 2009 at 11:55:00AM -0500, Greg Hudson wrote:
> Finally: it's my understanding (though I haven't read the anonymous
> pkinit spec) that it is valid to do anonymous pkinit to a realm you
> can't verify the certificate of, and that this may be valuable in
> obtaining a FAST armor ticket--with the proviso that your armor is then
> vulnerable to a man-in-the-middle attack.  It sounds like your
> implementation is not going to allow that case at first, but the
> interface should keep that case in mind as a future possibility.

The GSS-API certainly allows the mechanism to have an anonymous name
type for acceptor naming...  This could be allowed -- it can't happen
accidentally, though it may not be very useful at all, so if Sam doesn't
want to implement it, I understand.

More information about the krbdev mailing list