[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] text of Kerebos Channel binding and GSS-API (kerebos WG list)
I think this is the e-mail which resulted in the original issue... Gudge > -----Original Message----- > From: Duane Nickull [mailto:dnickull@adobe.com] > Sent: 14 June 2005 16:23 > To: wss@lists.oasis-open.org > Subject: [wss] text of Kerebos Channel binding and GSS-API > (kerebos WG list) > > Found another Point of view on the web.... > > - Channel binding > > Section 4, last paragraph (lines 214-215) says "It should be noted > that transport-level security MAY be used to protect the > message and > the security token." I think this needs some clarification. > > Why should the AP-REQ message require additional protection from > lower layers? From what sorts of attacks? What if no such > protection is available? Shouldn't the session key from the AP-REQ > be used to provide integrity protection to the S11 header? > > Or is this text indicating, obliquely I suppose, that it > is possible > to use this profile for authentication but rely on lower network > layers for session protection? > > If the latter, note that there is a channel binding problem in that > more normative text is needed to ensure that the end-points of the > lower-layer channel and the application layer are effectively the > same, else MITM attacks may be possible. [Note: I assume that the > "transport-level security" is secure against MITM attacks, but MITM > attacks may be feasible nonetheless by misdirecting the > system/application so that one layer or the other it is speaking to > an otherwise properly authenticated attacked.] This can be avoided > with some additional requirements.<SNIP> > > http://www1.ietf.org/mail-archive/web/kitten/current/msg00496.html > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all > your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr > oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]