On Fri, May 05, 2017 at 12:07:09AM -0500, Benjamin Kaduk wrote: > On 05/03/2017 09:33 PM, Blumenthal, Uri - 0553 - MITLL wrote: > > P.S. Care to name (another :) one security-related protocol that > > doesn't provide replay protection? > > Some of the earlier uses of Kerberos are subject to replay (hence > kerberos implementations can end up providing replay caches to try and > help, which are not perfect and slow to boot). More modern exchanges > that use GSS acceptor subkeys are not subject to replay, though.
We might be getting far afield now, but if you're not using "mutual auth" then GSS/Kerberos will look a lot like TLS 1.3 0-rtt. GSS apps that want that need to be careful, just as TLS 1.3 0-rtt apps. Also, even for the 1-rtt case, GSS/Kerberos supports early (0-rtt) data. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
