Current semantics for channel-bindings in GSSAPI
Isaac Boukris
iboukris at gmail.com
Mon Mar 23 17:19:35 EDT 2020
On Sat, Mar 21, 2020 at 11:45 AM Isaac Boukris <iboukris at gmail.com> wrote:
>
> On Fri, Mar 20, 2020 at 10:19 PM Isaac Boukris <iboukris at gmail.com> wrote:
> >
> > BTW, it looks like both Heimdal/MIT do not handle the bindings in the
> > DCE style case, so we'd just not return channel-bound in that case.
>
> Actually, that seems wrong. I think the bindings are checked in the
> first leg of authentication, so perhaps we should keep the
> channel-bound flag on the context and return it by the end (although
> i'm not sure an outer channel is relevant).
Oh, the MIT code was already doing it, added tests for it.
More information about the krbdev
mailing list