El 10/11/11 13:19, Josh Howlett escribió:
All this is possible for GSS-EAP, but it's starting to look kind of
complex in terms of generic gss-preauth:
What are the practical benefits of a generic gss pre-auth mechanism when
Kerberos pre-auth itself provides an extensible framework? I can see that
there is value in the re-using deployed gss mechanisms if this avoids
having to create functionally-equivalent but redundant pre-auth mechanisms
in the case where an equivalent gss mechanism already exists, but are
there really so many of these that this is a compelling argument? It
sounds as though there is potentially a trade-off that we could make
between complexity and generality.
Hi Josh,
on the first place, to make the KDC Moonshot-enabled you need it to
support GSS preauth. You can consider the KDC as another RP withing a
realm.
On the second place, the use of FAST to protect the transport may result
redundant for many authentication mechanism (for example, EAP where no
assumptions are made on the security of the transport layer),
introducing unnecessary round trips and computational effort (FAST
requires a DH to be performed).
Note that you can see GSS preauth as an alternative to FAST, not to the
Kerberos preauth framework. The latter only defines the guidelines to
define preuth mechanisms (which we have followed to define the GSS preauth).
Regards,
Alejandro
Josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
