Suppressing conf/integ flags in krb5 GSS tokens
nico at cryptonector.com
Mon Jun 1 15:15:45 EDT 2015
On Mon, Jun 01, 2015 at 01:04:22PM -0400, Benjamin Kaduk wrote:
> That seems correct. Section 1.2.2:
> GSS-API callers desiring per-message security services should check
> the values of these flags at context establishment time, and must be
> aware that a returned FALSE value for integ_avail means that
> invocation of GSS_GetMIC() or GSS_Wrap() primitives on the associated
> context will apply no cryptographic protection to user data messages.
> Note that this seems to imply that you can generate a MIC which provides
> no integrity benefit, calling the above assumption into question.
Ugh. That's like the GSS_Add_cred() text: broken and unmatched by
As to MIT Kerberos, you *of course* know what *it* does.
More information about the krbdev