On Wed, 2014-03-19 at 10:56 +0200, Alexander Bokovoy wrote:
> On Wed, 19 Mar 2014, Genadi Postrilko wrote:
> >Thank you for the answer.
> >Sory if i lack the knowledge, but why SSL is needed when using kerberos?
> >Kerberos is based on 3th party that is trusted, why there is a need for
> >public key encryption?
> Using Kerberos only, without asking for integrity and confidentiality
> services,  without channel bindings to the outer encryption, is prone to
> MITM even with valid TLS channels.
> 
> Use of certificates allows to perform mutual authentication at the SSL
> level and later perform channel bindings of the tunnelled Kerberos
> communication.
> 
> Note that Kerberos over HTTP is weak without transport level security.
> HTTP authentication per se is independent of the transport.
> 
> For more details you can look at Joe Orton's talk at ApacheCon'2008:
> http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf

Note also that Negotiate does not actually use channel binding to the
outer TLS channel in all implementation I know of :/

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to