directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Scott <Richard.Sc...@comcast.net>
Subject Re: Kerberos Question
Date Thu, 13 Jul 2006 01:59:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000099">
Hi, Enrique -<br>
<br>
Thanks for the response!&nbsp; Glad to know who's been involved here.&nbsp; <br>
<br>
Yes, MIT is dropping support for Version 4 of Kerberos where DES was
the only algorithm supported.&nbsp; While I know you are technically correct
that it is still available in KRB5, I thought they were attempting to
discourage its use.&nbsp; (It's been 10 years since I've been deep in that
code, though, so I probably should be careful in my assertions.)&nbsp;
Nevertheless, it's a fact that the DES is insecure, and that once the
FIPS is withdrawn, it's use won't be sanctioned by any government or
financial institution.&nbsp; Products used by financial institutions (and I
work with a large one) have moved well-away from DES (in the same way
that the original S/MIME specs required support for 40-bit RC2.&nbsp;
Nowdays, you don't hear that come up in a conversation!)<br>
<br>
When you say DES plays a key role in MS environments, I have to admit
I'm out of my comfort zone there.&nbsp; Does MS not even support 3DES?&nbsp;&nbsp;
(I
know there was a "bruhaha" some time back when MS decided to "branch"
from MIT, but at the time I didn't care what MS did so didn't pay close
attention.)<br>
<br>
Appreciate the offer to help steer me around the code, and I'm sure
I'll take advantage of the offer once I have a chance to look at it a
bit more.<br>
<br>
Thanks,<br>
Richard<br>
<br>
Enrique Rodriguez wrote:
<blockquote cite="mid44B59B8C.2050702@apache.org" type="cite">Richard
Scott wrote:
  <br>
...
  <br>
  <blockquote type="cite">So, my question (to whomever it should be
addressed - and I have no clue who has been working in this area!) is
are there plans underway to drop support for DES in this implementation
as well?
    <br>
  </blockquote>
  <br>
Hi, Richard,
  <br>
  <br>
We don't have any plans to drop support for DES.&nbsp; Despite problems with
DES, it is still widely used.&nbsp; In fact, DES plays a key role in
Microsoft environments, as the primary cipher for interoperability.&nbsp; If
you can point to some information where other distros are dropping DES,
I'd love to read more.&nbsp; I believe what you mean is that MIT Kerberos is
dropping support for Version 4 of the Kerberos protocol.&nbsp; From an MIT
Kerberos announcement [1]:
  <br>
  <br>
"The Data Encryption Standard (DES) has reached the end of its useful
  <br>
life.&nbsp; DES is the only encryption algorithm supported by Kerberos 4,
  <br>
and the increasingly obvious inadequacy of DES motivates the
  <br>
retirement of the Kerberos 4 protocol."
  <br>
  <br>
We already don't support the Kerberos 4 protocol and because of its
age, vulnerability, and lack of deployment, we had never planned on
adding it.
  <br>
  <br>
  <blockquote type="cite">Who are the folks working on Kerberos?
    <br>
  </blockquote>
  <br>
It's good to have someone new looking at the Kerberos code.&nbsp; I am
intimately familiar with the Kerberos protocol-provider, so please let
me know if you have any questions.
  <br>
  <br>
Enrique
  <br>
  <br>
[1] <a class="moz-txt-link-freetext" href="http://www.secure-endpoints.com/kfw/kfw-3-0-announce.txt">http://www.secure-endpoints.com/kfw/kfw-3-0-announce.txt</a>
  <br>
  <br>
</blockquote>
<br>
</body>
</html>

Mime
View raw message