Hello, As I understand it, it is about the Extended Protection for Integrated Windows Authentication (probably only GSSAPI/Kerberos and GSS-SPNEGO/SSPCred which is not a OpenJDK mechanism).
In this case it includes Channel binding tokens into the subject information. CBT are not per-se TLS specific, however for traffic in TLS channels they do bind to the TLS session or to the endpoint. https://tools.ietf.org/html/rfc5056#section-3.2 Some projects have implemented channel binding for IIS or WinRm already, for example here is a good discussion: https://github.com/requests/requests-kerberos/pull/92 Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Michael Osipov <1983-01...@gmx.net> Gesendet: Mittwoch, Dezember 18, 2019 6:37 PM An: Bernd Eckenfels; security-dev@openjdk.java.net Betreff: Re: Microsoft LDAP Channel Binding Am 2019-12-18 um 04:29 schrieb Bernd Eckenfels: > Hello, > > Microsoft just released an Security Advisory, announcing that upcoming > Windows Server Versions will turn on mandatory TLS Channel Binding (and turn > off simple binds with mandatory SASL signing) on LDAP Servers. Another question here, typically Microsoft: What makes you think that this is TLS channel binding? All I see is LDAP channel binding for which I fail to find any technical documentation. Michael
