wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [wss] text of Kerebos Channel binding and GSS-API (kerebos WG list)
- From: Anthony Nadalin <drsecure@us.ibm.com>
- To: Duane Nickull <dnickull@adobe.com>
- Date: Tue, 14 Jun 2005 09:45:27 -0500
There is the case with the non GSSAPI AP-REQ not having an authenticator and may need transport level security to protect the message and token
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Duane Nickull <dnickull@adobe.com>
Duane Nickull <dnickull@adobe.com>
06/14/2005 09:23 AM
|
|
Found another Point of view on the web....
- Channel binding
Section 4, last paragraph (lines 214-215) says "It should be noted
that transport-level security MAY be used to protect the message and
the security token." I think this needs some clarification.
Why should the AP-REQ message require additional protection from
lower layers? From what sorts of attacks? What if no such
protection is available? Shouldn't the session key from the AP-REQ
be used to provide integrity protection to the S11 header?
Or is this text indicating, obliquely I suppose, that it is possible
to use this profile for authentication but rely on lower network
layers for session protection?
If the latter, note that there is a channel binding problem in that
more normative text is needed to ensure that the end-points of the
lower-layer channel and the application layer are effectively the
same, else MITM attacks may be possible. [Note: I assume that the
"transport-level security" is secure against MITM attacks, but MITM
attacks may be feasible nonetheless by misdirecting the
system/application so that one layer or the other it is speaking to
an otherwise properly authenticated attacked.] This can be avoided
with some additional requirements.<SNIP>
http://www1.ietf.org/mail-archive/web/kitten/current/msg00496.html
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]