27 Nov 22:50
Re: tls and channel binding
Nicolas Williams <Nicolas.Williams <at> sun.com>
2007-11-27 21:50:26 GMT
2007-11-27 21:50:26 GMT
On Tue, Nov 27, 2007 at 04:33:53PM -0500, Sam Hartman wrote: > I think I said this a while back but Jeff suggested I say so again. > > I believe that if we're going to advance the tls document either as > informational or standards track it should have channel binding > between the Kerberos PDUs and the TLS channel. > > This is my opinion as an individual bordering on AD. I.E. it might > well be a blocking comment but if the WG indicated they disagreed I'd > have to consider carefully before blocking. I agree with what Sam says. Wherever we separate authentication and transport protection by introducing a secure channel, and we are able to do channel binding, then we should do channel binding. We should require compelling reasons to do otherwise. In this particular case we gain a lot from being able to do channel binding (e.g., the ability to learn a realm's KDC certs without out-of-band, secure trust anchor distribution, and even the ability to do without server certificates). Nico -- -- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg <at> lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
RSS Feed