On Sun, Oct 30, 2011 at 8:40 PM, Nico Williams <[email protected]> wrote: > To be fair krb5 pre-auth was never an issue before because a) we > didn't have initial credential acquisition interfaces for GSS, b) we > didn't have IAKERB. It's likely that this will never be a real issue. > Indeed, what I'd want to do as a client app is specify things like > "don't use weak authentication methods" and enctypes/cipher suites. I > don't think I'd care to choose "PKINIT with user certs on a smartcard" > vs. "PKINIT with SACRED instead of smartcards" vs. FAST armored > PA-ENC-TIMESTAMP. So, I give, thanks for the analogy.
This is what had me nervous Sam, and I now agree that I shouldn't look at GSS-EAP through the same prism when it comes to two-level negotiation. What I want is probably best left as cred options (and possibly a req_flag, but I want to avoid adding req_flags whenever we can, since that's a very limited namespace) for expressing the app policies I mentioned above. Cred options on the default credential can be had by acquiring a credential for desired_name = GSS_C_NO_NAME and setting cred options on that, which is how we'd avoid having to add req_flags. Nico -- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
