To be fair krb5 pre-auth was never an issue before because a) we didn't have initial credential acquisition interfaces for GSS, b) we didn't have IAKERB. It's likely that this will never be a real issue. Indeed, what I'd want to do as a client app is specify things like "don't use weak authentication methods" and enctypes/cipher suites. I don't think I'd care to choose "PKINIT with user certs on a smartcard" vs. "PKINIT with SACRED instead of smartcards" vs. FAST armored PA-ENC-TIMESTAMP. So, I give, thanks for the analogy.
Nico -- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
