GSS-API and libkrb5 behavior for Anonymous tickets
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Nov 4 14:19:05 EST 2009
--On Tuesday, November 03, 2009 11:41:55 AM -0600 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> Just because the mechanism can do that doesn't mean it should. I'd
> rather treat the anon req_flag as critical in the mechanism
> implementations, even though from the application's p.o.v. it's
> optional.
Me too.
Normally, we tell application implementors to check the return state and
not use a context that doesn't meet the application's needs; this allows
applications lots of flexibility in asking for the moon and using what they
can get. However, anon_req is qualitatively different here, in that if you
request an anonymous context, complete context establishment, and end up
with a non-anonymous context, you've given away the farm even if you don't
use the context. Now, we provide applications a way to prevent this by
indicating anon_state early enough that they can decline to send a token
along that would reveal the client's identity. But, I'm inclined to think
it's better (safer) for mechanisms simply not to establish a context at all
if anonymity is requested and cannot be provided.
-- Jeff
More information about the krbdev
mailing list