On 5/13/2015 10:19 AM, Matt Caswell wrote:
>
>
> On 08/05/15 09:40, Matt Caswell wrote:
>>
>>
>> On 08/05/15 02:28, Jeffrey Altman wrote:
>>
>>> Regardless, the inability to improve the support in this area has left
>>> the those organizations that rely upon 2712 with the choice of use
>>> insecu
On 08/05/15 09:40, Matt Caswell wrote:
>
>
> On 08/05/15 02:28, Jeffrey Altman wrote:
>
>> Regardless, the inability to improve the support in this area has left
>> the those organizations that rely upon 2712 with the choice of use
>> insecure protocols or re-implement the applications. I do
I should have mentioned NPN and ALPN too.
A TLS application could use ALPN to negotiate the use of a variant of
the real application protocol, with the variant starting with a
channel-bound GSS context token exchange.
The ALPN approach can optimize the GSS mechanism negotiation, at the
price of
On Fri, May 08, 2015 at 05:17:29PM -0400, Nathaniel McCallum wrote:
> I agree that the current situation is not sustainable. I was only
> hoping to start a conversation about how to improve the situation.
RFC2712 uses Authenticator, which is an ASN.1 type quite clearly NOT
intended for use outside
On 5/8/2015 5:17 PM, Nathaniel McCallum wrote:
>
> I agree that the current situation is not sustainable. I was only
> hoping to start a conversation about how to improve the situation.
>
> For instance, there is this: http://tls-kdh.arpa2.net/
>
> I don't see any reason this couldn't be expanded
On Thu, 2015-05-07 at 21:28 -0400, Jeffrey Altman wrote:
> On 5/7/2015 8:40 PM, Viktor Dukhovni wrote:
> > On Thu, May 07, 2015 at 08:00:17PM -0400, Nathaniel McCallum wrote:
> >
> > > There have been some conversations behind Red Hat doors about
> > > improving the state of Kerberos/TLS in both s
On 08/05/15 02:28, Jeffrey Altman wrote:
> Regardless, the inability to improve the support in this area has left
> the those organizations that rely upon 2712 with the choice of use
> insecure protocols or re-implement the applications. I do not believe
> that any sane OS or application vendor
On 5/7/2015 8:40 PM, Viktor Dukhovni wrote:
> On Thu, May 07, 2015 at 08:00:17PM -0400, Nathaniel McCallum wrote:
>
>> There have been some conversations behind Red Hat doors about
>> improving the state of Kerberos/TLS in both standards and
>> implementations. Could we maybe have a broader conver
On Thu, May 07, 2015 at 08:00:17PM -0400, Nathaniel McCallum wrote:
> There have been some conversations behind Red Hat doors about
> improving the state of Kerberos/TLS in both standards and
> implementations. Could we maybe have a broader conversation about how
> to fix this situation?
To be bl