Need help interpreting krb5kdc log file, specifically etypes
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Jul 18 17:53:03 EDT 2006
On Tuesday, July 18, 2006 02:47:07 PM -0400 Ken Raeburn <raeburn at mit.edu>
wrote:
> On Jul 18, 2006, at 13:36, Jeffrey Altman wrote:
>> Negative values are reserved for private use by implementers.
>
> "Negative values are for private use; local and experimental
> algorithms should use these values."
> Not quite the same thing.
Right. These are "private use", which means their meaning is determined by
prior agreement between peers. It's OK for an implementation to negative
values internally (for example, heimdal uses a single internal crypto API
for both RFC3961 enctypes and direct access to raw ciphers and hashes; the
latter are identified within the API by private-use values), but they
should never appear on the wire except in circumstances where the local
administrator has defined their meaning.
Until fairly recently, DHCP had a major problem with vendors "stealing"
private-use option codes which were intended to have locally-defined
meanings and assigning vendor-defined meanings to them instead. I would be
disappointed if Kerberos started to have the same sorts of problems.
-- Jeff
More information about the Kerberos
mailing list