Adding supported enctypes to kdc
Nicolas Williams
Nicolas.Williams at sun.com
Fri Nov 16 19:13:15 EST 2007
On Fri, Nov 16, 2007 at 03:50:16PM -0800, Russ Allbery wrote:
> John Washington <jawashin at uiuc.edu> writes:
>
> > I would definitely add aes128-cts-hmac-sha1-96 and
> > aes256-cts-hmac-sha1-96, as Microsoft is adding these to AD (and I
> > prefer good encryption, not really broken encryption)
>
> Is there any reason to add the 128-bit keys? So far, it seems like
> everyone who can do 128-bit can also do 256-bit, but maybe that isn't true
> of the upcoming Windows release? (They're both equally export-controlled,
> so far as I know.)
It isn't true for Solaris 10 without the supplemental cryptography
packages -- I don't recall if this changed in S10U4 or will change in
U5, but we're definitely moving towards delivering 256-bit key length
support by default.
Nico
--
More information about the Kerberos
mailing list