I try hard to understand when should mechListMIC be generated in SPNEGO, but still find the specification (RFC 4178
) confusing. I'd like to interpret it this way:
- If the chosen mech is the first one in the list, don't bother to create it
- Generate the MIC whenever you think you can do it, i.e. mech's isEstablished() is true
- Response to a MIC whenever you receive one
In case you believe the incoming token should have the MIC but it hasn't, if it's already marked COMPLETE, you go COMPLETE also. Otherwise, it may be expecting a MIC from you, either create the MIC and send back, or send back an empty COMPLETE.
OK, I admit I don't understand it.