On Tue, Oct 21, 2014 at 04:09:59PM -0500, Nico Williams wrote:
> [Adding Roland and Viktor to the cc list. I'm not quoting anything,
> but it's roughly this: there's interest in implementing RFC2712, which
> is Kerberos in TLS. Hank is inviting me to state my opinion; see
> below.]
>
> RFC2712 is to be burned. Please do not implement. We should either
> add a different extension to TLS to use Kerberos (or GSS), or simply
> not try this.
My take is that there is no future for Kerberos ciphersuites in
TLS. Instead, Kerberos-based authentication in TLS should be based
on channel-binding. Negotiate a TLS session with (ignored if
present) or without certificates, extract a channel-binding, and
use GSSAPI with channel binding to perform mutual authentication.
I strongly agree with Nico, DO NOT implement the TLS Kerberos cipher
suites. I'd like to see these removed from OpenSSL at some point.
--
Viktor.
