>>>>> "Luke" == Luke Howard <[email protected]> writes:
>> If we switch to a MIC, can we just omit the channel binding token
>> in the case the client has no channel bindings? The exchange that
>> contains the channel binding token is itself protected by a MIC,
>> so an attacker cannot remove it. The acceptor would need to raise
>> an error if no binding token was provided and the caller of
>> GSS_Accept_sec_context() indicated bindings.
Luke> ... although this itself could be configurable with a context
Luke> option to allow missing bindings.
If you want to work with HTTP, you want to ignore channel bindings if
the acceptor passes in null.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
