[PATCH] Fix SPNEGO interoperability with servers implementing RFC2478

Nico Williams nico at cryptonector.com
Mon Aug 4 14:55:26 EDT 2014

On Mon, Aug 04, 2014 at 07:29:06PM +0100, David Woodhouse wrote:
> >  I was hoping to find
> > support for this hypothesis in the history of the RFC 4178 drafts, but
> > even the -00 version of the draft contains all of the elements we're
> > talking about (the presence of the request-mic flag, the verbiage on how
> > to react to it, and the flat requirement of exchanging MICs).  So this
> > is complete speculation.
> Are any of the authors still available to ask? If their implementation
> in Windows isn't considered to be sufficient evidence of their intent,
> that is...

The mailing list archives should have plenty of content.  IIRC SPNEGO
was ambiguous as specified and subject to a downgrade attack as
implemented by one major implementor.  We thought we'd not be able to
fix this without a flag day untill Larry Zhu came up with a fix that
worked for all the cases we cared about, and this led to RFC4178.

I was an active participant, though I don't recall the details but I
could swap it all back in if need be.  All authors and participants
should still be reachable, but you're likely to find the mail archives
degrade less badly than human memory does!


More information about the krbdev mailing list