Hi. At the mic in Quebec I raised the following issue about GSS preauth and ABFAB.
I want to be able to use GSS preauth between the RP and the KDC even if the initiator knows nothing about it. That is: gss-eap initiator <-> RP FAST(rp armor key, gss-preauth(gss-eap)) RP <->KDC When that happens: * The initiator should obtain a TGT which it probably can't use because well it doesn't know about gss preauth * The RP should obtain a service ticket. This is critical and is the motivation for allowing gss preauth even when the initiator dosen't know about it. This allows the KDC to be a central policy point all the time gss-eap is used. * The initiator and KDC know the TGT key * The initiator, RP and KDC know the context key for the gss-eap context between the initiator and RP. It's not critical the KDC knows this key, but it will is there any interest in figuring out how to do this. If we cannot then Moonshot may end up introducing a separate eap-preauth proposal to meet this use case. It would be highly desirable to avoid both eap-preauth and gss-preauth. I think everyone agrees that gss-preauth is cleaner if we can make it work. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
