STARTTLS extension

H.-J. Schnitzer schnitzer2 at rz.rwth-aachen.de
Wed Oct 9 06:54:16 EDT 2013


On 10/09/2013 11:05 AM, Rick van Rein (OpenFortress) wrote:
> Hello Hans-Juergen,
>
>> Are there any plans to implement the Kerberos STARTTLS extension (RFC 6251)?
> I'd be interested to learn why you would like to have this, given that Kerberos is already designed to run over untrusted networks?
>
> I'm architecting Kerberos into http://networkeffectalliance.org/ so I'd love to learn about any pros and cons.
>
>
> Thanks,
>   -Rick

The plain network traffic between client and KDC is vulnerable to 
dictionary attacks on
weak user  passwords.
There are already tunneling mechansims available for MIT Kerberos
like PKINIT and FAST but I find them rather complicated to implement.
TLS would make things definitely easier. The GNU Kerberos solution 
shishi has support
for TLS for example.

Hans-Juergen





More information about the Kerberos mailing list