Re: [TLS] Review of draft-santesson-tls-gssapi-00

[Martin Rex <martin.rex at sap.com>]

EKR wrote:
> 
> An alternative proposal that seems even cleaner is to simply
> do the GSS first and then couple it to TLS with PSK.

In general, you really want to do TLS first, and then (GSS-API)
authentication, because there are still a lot of authentication
schemes in use that are "fairly weak" and will benefit when
performing the authentication exchange over an encrypted channel.

It also helps to protect the client identity (from network sniffers)
if the GSS-API authentication is performed within the encrypted
channel.

Thinking about it -- there is a Hen an Egg problem with
my desire to protect the GSS-API token exchange with TLS and the attempt
to XOR entropy from gssapi message protection with pre-master
secret data from TLS key exchange.

So I would prefer moving the GSS-API authentication handshake
after the ChangeCipherSpec exchange and to look into GSS-API
channel bindings to link the gssapi authentication exchange
with the TLS handshake.

Looking at the TLS handshake protocol, when me move the GSS-API token
exchange after the clients ChangeCipherSpec message, it might be
best to move it one message further, i.e. outside of the
TLS handshake.

-Martin


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls