OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] text of Kerebos Channel binding and GSS-API (kerebos WG list)

I think this is the e-mail which resulted in the original issue...

Gudge

> -----Original Message-----
> From: Duane Nickull [mailto:dnickull@adobe.com] 
> Sent: 14 June 2005 16:23
> To: wss@lists.oasis-open.org
> Subject: [wss] text of Kerebos Channel binding and GSS-API 
> (kerebos WG list)
> 
> Found another Point of view on the web....
> 
> - Channel binding
> 
>    Section 4, last paragraph (lines 214-215) says "It should be noted
>    that transport-level security MAY be used to protect the 
> message and
>    the security token."  I think this needs some clarification.
> 
>    Why should the AP-REQ message require additional protection from
>    lower layers?  From what sorts of attacks?  What if no such
>    protection is available?  Shouldn't the session key from the AP-REQ
>    be used to provide integrity protection to the S11 header?
> 
>    Or is this text indicating, obliquely I suppose, that it 
> is possible
>    to use this profile for authentication but rely on lower network
>    layers for session protection?
> 
>    If the latter, note that there is a channel binding problem in that
>    more normative text is needed to ensure that the end-points of the
>    lower-layer channel and the application layer are effectively the
>    same, else MITM attacks may be possible.  [Note: I assume that the
>    "transport-level security" is secure against MITM attacks, but MITM
>    attacks may be feasible nonetheless by misdirecting the
>    system/application so that one layer or the other it is speaking to
>    an otherwise properly authenticated attacked.]  This can be avoided
>    with some additional requirements.<SNIP>
> 
> http://www1.ietf.org/mail-archive/web/kitten/current/msg00496.html
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all 
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php 
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]