> If we switch to a MIC, can we just omit the channel binding token in the case > the client has no channel bindings? The exchange that contains the channel > binding token is itself protected by a MIC, so an attacker cannot remove it. > The acceptor would need to raise an error if no binding token was provided > and the caller of GSS_Accept_sec_context() indicated bindings.
... although this itself could be configurable with a context option to allow missing bindings. -- Luke _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
