JSS/krb5 should ignore remote channel binding info when not requested at local side (RFC 4121 4.1.1.2: the acceptor MAY ignore...). All major krb5 implementors implement this "MAY", and some applications depend on it as a workaround for not having a way to negotiate the use of channel binding -- the initiator application always uses CB and hopes the acceptor will ignore the CB if the acceptor doesn't support CB.
|