Current semantics for channel-bindings in GSSAPI
Simo Sorce
simo at redhat.com
Mon Mar 2 11:52:47 EST 2020
On Mon, 2020-03-02 at 17:22 +0100, Isaac Boukris wrote:
> That may explains why Windows HTTP client would ask INTEG indeed. Note
> that over TLS Win LDAP client won't request INTEG even in SPNEGO,
> while the HTTP does.
I guess that makes sense because in that case integrity is provided by
the TLS channel, so you just need to bind to it to insure no tampering
happened.
Although HTTPS could be seen as the same, I assume they didn't want to
have the client/server application need to distinguish between HTTP and
HTTPS (especially because HTTPS was not so common when the SPNEGO RFC
was drafted) so it was easier to just always protect the integrity of
the mech list... for what it was worth ...
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
More information about the krbdev
mailing list