RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Oct 22 16:53:40 UTC 2014

On Tue, Oct 21, 2014 at 04:09:59PM -0500, Nico Williams wrote:

> [Adding Roland and Viktor to the cc list.  I'm not quoting anything,
> but it's roughly this: there's interest in implementing RFC2712, which
> is Kerberos in TLS.  Hank is inviting me to state my opinion; see
> below.]
> RFC2712 is to be burned.  Please do not implement.  We should either
> add a different extension to TLS to use Kerberos (or GSS), or simply
> not try this.

My take is that there is no future for Kerberos ciphersuites in
TLS.  Instead, Kerberos-based authentication in TLS should be based
on channel-binding.  Negotiate a TLS session with (ignored if
present) or without certificates, extract a channel-binding, and
use GSSAPI with channel binding to perform mutual authentication.

I strongly agree with Nico, DO NOT implement the TLS Kerberos cipher
suites.  I'd like to see these removed from OpenSSL at some point.


More information about the security-dev mailing list