directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Cheskum types
Date Fri, 08 Jan 2016 14:41:53 GMT
Ah right, good point! That's why these enc/checksum types were still made out even we know
they're deprecated already. Yeah we would deprecate them, not retire or total abandon them.
I believe we need some sort of work to revisit this field considering such things. Enc/checksum
types are used in various places where they need to be configurable. Different places need
different level of secure or strength of encryption and checksum types. Your suggestion sounds
good to me, configurable, and also API allowing to set on demand.

Regards,
Kai

-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com] 
Sent: Friday, January 08, 2016 10:33 PM
To: kerby@directory.apache.org
Subject: Re: Cheskum types

Le 08/01/16 14:42, Zheng, Kai a écrit :
> Yeah, we need to catch up with latest updates in this aspect and deprecate some of encryption
and checksum types for security considerations. I think this can done prior to 1.0.0, aligning
with both MIT Kerberos and Oracle Java. 

The question here is : do we want to guarantee a sort of backward compatibility with old (and
unsecure) Kerberos implementation ?

One option would be to add some configuration element that enable the deprecated Checksum
type on demand. That would be totally insane, but you never know what users have to deal with,
especially in big companies or administrations ;-)

For instance, in France, one airport was shutdown for half a day at the end of last year because
one system was running on a ... windows 3.1 computer !!!
(http://arstechnica.com/information-technology/2015/11/failed-windows-3-1-system-blamed-for-taking-out-paris-airport/).
Have fun ;-)

Mime
View raw message