RFC 4121 & acceptor subkey use in MIC token generation
Nico Williams
nico at cryptonector.com
Thu Oct 26 14:33:27 EDT 2023
On Thu, Oct 26, 2023 at 02:27:56PM -0400, Ken Hornstein wrote:
> Ever hear the political adage, "If you're explaining yourself, you're
> losing"?. The same adage applies when talking to security people,
> especially the non-technical ones. The common gss-keyex code out there
> calls the OpenSSL MD5 function at runtime, and some of the distributions
> that do ship the gss-keyex code (RedHat) decided to simply disable
> gss-keyex code when FIPS is turned on. So yes, you CAN hardcode the
> OID->name mappings, but it seems that nobody actually does that.
We accept PRs.
More information about the Kerberos
mailing list