[Freeipa-users] Understanding role of the certificate in client - server communication.
Simo Sorce
simo at redhat.com
Wed Mar 19 12:50:44 UTC 2014
On Wed, 2014-03-19 at 10:56 +0200, Alexander Bokovoy wrote:
> On Wed, 19 Mar 2014, Genadi Postrilko wrote:
> >Thank you for the answer.
> >Sory if i lack the knowledge, but why SSL is needed when using kerberos?
> >Kerberos is based on 3th party that is trusted, why there is a need for
> >public key encryption?
> Using Kerberos only, without asking for integrity and confidentiality
> services, without channel bindings to the outer encryption, is prone to
> MITM even with valid TLS channels.
>
> Use of certificates allows to perform mutual authentication at the SSL
> level and later perform channel bindings of the tunnelled Kerberos
> communication.
>
> Note that Kerberos over HTTP is weak without transport level security.
> HTTP authentication per se is independent of the transport.
>
> For more details you can look at Joe Orton's talk at ApacheCon'2008:
> http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf
Note also that Negotiate does not actually use channel binding to the
outer TLS channel in all implementation I know of :/
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list