The problem with this approach is that we end up reimplementing RFC 3961. It's possible now to build an enctype-agnostic implementation, and this would make that harder, at least with the APIs provided by shipping Kerberos implementations.
-- Luke On 01/04/2011, at 9:35 AM, Nico Williams wrote: > On Mar 31, 2011 5:32 PM, "Luke Howard" <[email protected]> wrote: > > > > Note with GSS EAP we don't need to negotiate the hash function inside our > > mechanism because it falls out of the enctype, and that in turn from the > > mech OID, so GSS negotiates for us. Assuming you only want to use the > > mandatory checksum type, of course. > > In that case I'd just bite the bullet and use a hash function and a MIC of > the hash. There's costs to this approah, but it seems likely that those will > be more acceptable than the alternatives'. > > Nico > -- >
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
