FIPS certification
Nicolas Williams
Nicolas.Williams at sun.com
Sat Feb 28 00:51:06 EST 2009
On Fri, Feb 27, 2009 at 09:29:15PM -0800, Randy Turner wrote:
> I haven't completely analyzed MIT Kerberos, but I was wondering if it
> would be possible to get the MIT Kerberos subsystem to use the OpenSSL
> crypto API for any cryptographic support needed for Kerberos?
MIT Kerberos has its own crypto code, yes.
Solaris Kerberos is based on MIT Kerberos and replaced the crypto with
calls to PKCS#11 (in user-land). I believe the Solaris Kebreros team
wants to integrate these changes (challenging though it is) into MIT
krb5, but I don't know when it will happen. That would be your best
bet. The Solaris Kerberos stack is opensource, like most things in
OpenSolaris (though some parts under the CDDL, which MIT has in the past
considered incompatible with its aims, so Sun has donated code to MIT in
the past, meaning placed it under MIT's license).
If you're interested we can talk about the challenges in revamping MIT
krb5 to not use its own crypto code.
Nico
--
More information about the Kerberos
mailing list