Shibboleth Developers

[Leif Johansson <>]

Josh Howlett wrote:
> Responding to my own post:
>
>   
>> It's been recently pointed out to me that Negotiate (SPNEGO 
>> over HTTP), which all modern browsers support, is a one-shot 
>> protocol and so does not support channel bindings or mutual 
>> authentication of the GSS mechanism (Kerberos, in this case). 
>> Fixing this would be quite an effort.
>>
>> Whether or not we care enough about the lack of these 
>> properties, in this particular context, is another question. 
>>     
>
> After hitting the 'Send' button, I thought it might be worth expanding
> on this point lest that statement comes across as negligent.
>
> The reason I think that the lack of channel bindings and mutual
> authentication *might* be moot is that the Kerberos service ticket is
> not used for authentication of the principal. The ticket is just be
> acting as a discovery cue for boot-strapping a SAML authN assertion
> request. In this case, why do channel bindings and mutual authentication
> matter?
>   
But don't you want to turn around and use SPNEGO for the
actual authentication too at some point? Then you have to
care about mutual auth - especially if you are doing credentials
delegation :-)
> I am probably going out on a limb here, but it strikes me as analagous
> to the way that we don't care about authentication of TLS connection
> peers in the front-channel bindings; these aren't part of the trust
> fabric that matters.
>
> josh.
>