On Wed, 2014-03-19 at 10:56 +0200, Alexander Bokovoy wrote: > On Wed, 19 Mar 2014, Genadi Postrilko wrote: > >Thank you for the answer. > >Sory if i lack the knowledge, but why SSL is needed when using kerberos? > >Kerberos is based on 3th party that is trusted, why there is a need for > >public key encryption? > Using Kerberos only, without asking for integrity and confidentiality > services, without channel bindings to the outer encryption, is prone to > MITM even with valid TLS channels. > > Use of certificates allows to perform mutual authentication at the SSL > level and later perform channel bindings of the tunnelled Kerberos > communication. > > Note that Kerberos over HTTP is weak without transport level security. > HTTP authentication per se is independent of the transport. > > For more details you can look at Joe Orton's talk at ApacheCon'2008: > http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf
Note also that Negotiate does not actually use channel binding to the outer TLS channel in all implementation I know of :/ Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
