Current semantics for channel-bindings in GSSAPI

Simo Sorce simo at
Mon Mar 2 11:52:47 EST 2020

On Mon, 2020-03-02 at 17:22 +0100, Isaac Boukris wrote:
> That may explains why Windows HTTP client would ask INTEG indeed. Note
> that over TLS Win LDAP client won't request INTEG even in SPNEGO,
> while the HTTP does.

I guess that makes sense because in that case integrity is provided by
the TLS channel, so you just need to bind to it to insure no tampering

Although HTTPS could be seen as the same, I assume they didn't want to
have the client/server application need to distinguish between HTTP and
HTTPS (especially because HTTPS was not so common when the SPNEGO RFC
was drafted) so it was easier to just always protect the integrity of
the mech list... for what it was worth ...


Simo Sorce
RHEL Crypto Team
Red Hat, Inc

More information about the krbdev mailing list