<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 13/05/2015 21:37, Jeffrey Altman
wrote:<br>
</div>
<blockquote cite="mid:5553A7ED.4060206@secure-endpoints.com"
type="cite">
<pre wrap="">On 5/13/2015 3:17 PM, Nico Williams wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Kerberos in particular supports PROT_READY. There is no Kerberos IV GSS
mechanism, FYI. I'd never heard of GSS-SRP-6a; do you have a reference?
</pre>
</blockquote>
<pre wrap="">
Nico,
Look for draft-burdis-cat-srp-sasl. It was never standardized but I
believe there is an implementation in Cyrus/SASL. This is the most
recent version I could find
<a class="moz-txt-link-freetext" href="http://www.opensource.apple.com/source/passwordserver_sasl/passwordserver_sasl-159/cyrus_sasl/doc/draft-burdis-cat-srp-sasl-xx.txt">http://www.opensource.apple.com/source/passwordserver_sasl/passwordserver_sasl-159/cyrus_sasl/doc/draft-burdis-cat-srp-sasl-xx.txt</a>
Jeffrey Altman
</pre>
</blockquote>
<tt>No, I was referring to the (apparently never defined, <br>
though I thought it was) use of RFC2945 (SRP 3) as a <br>
GSS mechanism, with the additional bug fixes in SRP-6 <br>
(RFC5054) and SRP-6a (no RFC).</tt><tt> Here I am referring<br>
to the SRP mechanism enhancements in RFC5054, not the<br>
TLS binding also in RFC5054.<br>
</tt><tt><br>
</tt><tt>Because SRP-3 and SRP-6 is (from the outside) a kind <br>
of authenticated DH exchange, neither end will be <br>
ready to calculate MIC values until the primary <br>
exchange messages have been completed (this does not <br>
include any additional key confirmation messages that <br>
might be folded into the channel binding legs).</tt><tt><br>
</tt><tt><br>
</tt><tt>This differs from Kerberos, where each end knows the <br>
MIC key before sending its first GSS token.</tt><tt><br>
</tt><br>
<br>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="http://www.wisemo.com">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>