Sam, So should I raise it as a bug ?
Thanks Markus "Sam Hartman" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > >>>>> "Markus" == Markus Moeller <[EMAIL PROTECTED]> writes: > > Markus> What is the value of channel bindings if either > Markus> side(client and/or server) can ignore it by setting it to > Markus> GSS_C_NO_CHANNEL_BINDINGS ? It seems to me a useless > Markus> functionality or do you have an example where it can be > Markus> used ? > > Markus> Thanks Markus > > > Markus> "Sam Hartman" <[EMAIL PROTECTED]> wrote in message > Markus> news:[EMAIL PROTECTED] > >> >>>>> "Markus" == Markus Moeller <[EMAIL PROTECTED]> > >> writes: > >> > Markus> I noticed that from MIT version 1.2.4 to 1.3.1 the > Markus> gss_accept_sec_context call has changed in ftpd.c. It is > Markus> now set to use always GSS_C_NO_CHANNEL_BINDINGS. I also > Markus> noticed that changing the channel bindings in > Markus> gss_init_sec_context on the client doesn't create an error > Markus> I would expect. > >> MIT assumes that null channel bindings on the server means > >> that any channel bindings are acceptable to that server, > >> including null. draft-ietf-krb-wg-gssapi-cfx-xx.txt allows > >> this and has been approved for > Markus> publication by the IESG. > >> > Markus> I also see a different behaviour in my proftpd mod_gss > Markus> module. If the client uses gss_init_sec_context with > Markus> GSS_C_NO_CHANNEL_BINDINGS, the channel bindings settings > Markus> in gss_accept_sec_context on the server are ignored (e.g > Markus> if the server uses channel bindings with application data > Markus> set and the client used GSS_C_NO_CHANNEL_BINDINGS the > Markus> client can login) > >> > >> > >> It seems to be the way the code is written. I'm not sure it is > >> to spec or a good idea. > >> > >> ________________________________________________ Kerberos > >> mailing list [EMAIL PROTECTED] > >> https://mailman.mit.edu/mailman/listinfo/kerberos > >> > > > > Markus> ________________________________________________ Kerberos > Markus> mailing list [EMAIL PROTECTED] > Markus> https://mailman.mit.edu/mailman/listinfo/kerberos > > P It's authenticated. So if both sides use it then it will be > verified and required to be correct. > > As I consider the current behavior more I don't like the MIT server's > tendency to discard client channel bindings though. I believe a > server should be able to require channel bindings. > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos