Suppressing conf/integ flags in krb5 GSS tokens

Nico Williams nico at
Mon Jun 1 15:15:45 EDT 2015

On Mon, Jun 01, 2015 at 01:04:22PM -0400, Benjamin Kaduk wrote:
> That seems correct.  Section 1.2.2:
>    GSS-API callers desiring per-message security services should check
>    the values of these flags at context establishment time, and must be
>    aware that a returned FALSE value for integ_avail means that
>    invocation of GSS_GetMIC() or GSS_Wrap() primitives on the associated
>    context will apply no cryptographic protection to user data messages.
> Note that this seems to imply that you can generate a MIC which provides
> no integrity benefit, calling the above assumption into question.

Ugh.  That's like the GSS_Add_cred() text: broken and unmatched by

As to MIT Kerberos, you *of course* know what *it* does.


More information about the krbdev mailing list