So, I propose that we replace the existing GSS channel binding and extension wrap/MIC tokens (respectively) with RFC 3961 checksums using the CRK with the following key usage numbers:
KEY_USAGE_CHANNEL_BINDINGS_MIC TBD KEY_USAGE_ACCEPTOR_TOKEN_MIC TBD KEY_USAGE_INITIATOR_TOKEN_MIC TBD A nice property of this is that we can efficiently deal with large GSS channel bindings (because we are sending a checksum rather than a wrap token; recall, we previously sent a wrap token so that the acceptor could ignore channel bindings without disturbing its sequence state). Comments? -- Luke _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
