On Wed, Oct 25, 2023 at 08:51:29AM -0400, Ken Hornstein wrote: > I think we've lost the thread here; I do not think that any krb5 > mechanism today ever asserts PROT_READY before GSS_S_COMPLETE, but I > would love to be proven wrong.
That's the whole point of being able to use the initiator sub-session key: to allow the Kerberos GSS mechanism to assert PROT_READY on the first call to GSS_Init_sec_context() even when mutual auth is requested. Yes, RFC 4121 didn't say so, but it's the point. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
