Hi. Luke discovered a bit of a problem. Jim proposed that acceptors echo back their name rather than simply relying on the name match in channel bindings. The intent is to prevent a malicious actor from being able to connect one GSS-EAP peer to another in a situation where channel binding is not enforced properly. That is, we want man-in-the-middle defense always even if we're not going to get malicious NAS defense because channel binding is not happening.
The issue is that the initiator and/or acceptor may not know the acceptor's realm yet. My recommended implementation strategy is that if the realm name is present on both the initiator and acceptor it must match. Luke notes that it is easier to compare ignoring the realm. I'm concerned that for some realm-based services that might allow substitution of one realm for another. Either way, I think it's probably too late in the process to do anything about this in terms of spec text. This will probably be our first Erato. However I'd like to get community input on what implementations should do. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
