OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] text of Kerebos Channel binding and GSS-API (kerebos WG list)

There is the case with the non GSSAPI AP-REQ not having an authenticator and may need transport level security to protect the message and token

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Inactive hide details for Duane Nickull <dnickull@adobe.com>Duane Nickull <dnickull@adobe.com>


          Duane Nickull <dnickull@adobe.com>

          06/14/2005 09:23 AM

To

wss@lists.oasis-open.org

cc


Subject

[wss] text of Kerebos Channel binding and GSS-API (kerebos WG list)

Found another Point of view on the web....

- Channel binding

  Section 4, last paragraph (lines 214-215) says "It should be noted
  that transport-level security MAY be used to protect the message and
  the security token."  I think this needs some clarification.

  Why should the AP-REQ message require additional protection from
  lower layers?  From what sorts of attacks?  What if no such
  protection is available?  Shouldn't the session key from the AP-REQ
  be used to provide integrity protection to the S11 header?

  Or is this text indicating, obliquely I suppose, that it is possible
  to use this profile for authentication but rely on lower network
  layers for session protection?

  If the latter, note that there is a channel binding problem in that
  more normative text is needed to ensure that the end-points of the
  lower-layer channel and the application layer are effectively the
  same, else MITM attacks may be possible.  [Note: I assume that the
  "transport-level security" is secure against MITM attacks, but MITM
  attacks may be feasible nonetheless by misdirecting the
  system/application so that one layer or the other it is speaking to
  an otherwise properly authenticated attacked.]  This can be avoided
  with some additional requirements.<SNIP>

http://www1.ietf.org/mail-archive/web/kitten/current/msg00496.html


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 


GIF image

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]