STARTTLS extension
H.-J. Schnitzer
schnitzer2 at rz.rwth-aachen.de
Wed Oct 9 06:54:16 EDT 2013
On 10/09/2013 11:05 AM, Rick van Rein (OpenFortress) wrote:
> Hello Hans-Juergen,
>
>> Are there any plans to implement the Kerberos STARTTLS extension (RFC 6251)?
> I'd be interested to learn why you would like to have this, given that Kerberos is already designed to run over untrusted networks?
>
> I'm architecting Kerberos into http://networkeffectalliance.org/ so I'd love to learn about any pros and cons.
>
>
> Thanks,
> -Rick
The plain network traffic between client and KDC is vulnerable to
dictionary attacks on
weak user passwords.
There are already tunneling mechansims available for MIT Kerberos
like PKINIT and FAST but I find them rather complicated to implement.
TLS would make things definitely easier. The GNU Kerberos solution
shishi has support
for TLS for example.
Hans-Juergen
More information about the Kerberos
mailing list