[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: Pre-authentication fallback considerations
From: Robbie Harwood <rharwood () redhat ! com>
Date: 2018-04-05 15:47:29
Message-ID: jlgtvspmz8u.fsf () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Greg Hudson <ghudson@mit.edu> writes:
> I am considering implementing the following rules in the client
> preauth framework:
>
> 1. If a preauth mech reaches the point of generating an authenticated
> request, and it fails, do not fall back to another mechanism, and
> instead error out. (This point would be the first client message for
> most mechs, but for SPAKE, it would normally be the second client
> message as the first message is just a group offer. Mechs would
> indicate when they have reached this point via a new callback.)
>
> 2. If a preauth mech is tried optimistically and it fails, do not
> apply any special fallback considerations such as trying the same mech
> again, or falling back to another mechanism even if #1 applies.
With #2 included, this seems good to me.
Thanks,
--Robbie
["signature.asc" (application/pgp-signature)]
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic