GSS-API and libkrb5 behavior for Anonymous tickets

Tue Nov 3 14:11:43 EST 2009

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:

    >> I agree the libkrb5 interface should keep that in mind.  I'm
    >> not sure this matches the GSS-API model well enough to support
    >> there.
    >> 
    >> In particular, take a look at the requirements in
    >> draft-ietf-krb-wg-anon-10 for the anonymous KDC case.  The text
    >> seems to place a fairly strong requirement that you verify the
    >> KDC before using the ticket.  So, I'm not sure it would be
    >> permitted to use it in a normal ap exchange.  If we ignore
    >> that, then it would perhaps be permissible to use such a ticket
    >> in gss-api with the mutual authentication flag cleared,
    >> although you would get very different security guarantees than
    >> you typically do with Kerberos especially if you use
    >> per-message protection.  I'm not sure if that's OK or not.

    Nicolas> The GSS-API very explicitly contemplates, and allows, for
    Nicolas> security contexts with anonymous initiator and acceptor
    Nicolas> names.

Really?
I was not aware that security contexts with anonymous acceptor names were permitted.
Do you have a reference handy?