On Fri, 2011-08-19 at 08:53 -0400, gareth.richa...@rsa.com wrote:
> I had always thought the same way as Sam, that clients would be
> required to implement all of the options since there appears to be no
> other way for them to support different disconnected token types. The
> specification was in
I have a last-call comment about the KDC-generated nonce used in 4-pass
mode. I would like the text in section 3.2 changed from:
This nonce string MUST be as long as the longest key length of
the symmetric key types that the KDC supports and MUST be chosen
randomly.
to:
>> I think we can succeed in using mail for clarification (like we're
>> doing now). We all just have to be willing to look stupid now and
>> then.
> One picture often says more than a 1000 words.
Pictures can be sent (by reference, one hopes) over mailing lists as
well. But it's more than tha
> There are a lot of such acronims, and although in shown examples it
> does not make much difference I met several very confusing. Is there
> any document specifying the use and meaning of acronims?
"The Tao of IETF" gives the meaning of some acronyms, but in general I
imagine that it would be a
> But anybody clear understand that if your internal hosts do not have
> a public address then all attacks may be only static - wait until
> internal host open TCP to somewhere.
This is a naive understanding. Source-routing would let me get
packets through to an internal address unless your NAT
> doesn't this require the NAT to use the same inside<->outside
> address binding for the connection between the client and the KDC as
> for the connection between the client and the application server?
> e.g. it seems like the NAT could easily change address bindings
> during the lifetime of a ti
I'd like to make some clarifications about Kerberos and NAT.
>> When AUTH is used with Kerberos 4 and Kerberos 5 there are issues
>> related to the IP addresses which are embedded into the Kerberos
>> tickets which specify the valid machines from which the tickets are
>> valid.
> Are you saying