RFC 4121 & acceptor subkey use in MIC token generation

Nico Williams nico at cryptonector.com
Thu Oct 26 14:33:27 EDT 2023


On Thu, Oct 26, 2023 at 02:27:56PM -0400, Ken Hornstein wrote:
> Ever hear the political adage, "If you're explaining yourself, you're
> losing"?.  The same adage applies when talking to security people,
> especially the non-technical ones.  The common gss-keyex code out there
> calls the OpenSSL MD5 function at runtime, and some of the distributions
> that do ship the gss-keyex code (RedHat) decided to simply disable
> gss-keyex code when FIPS is turned on.  So yes, you CAN hardcode the
> OID->name mappings, but it seems that nobody actually does that.

We accept PRs.


More information about the Kerberos mailing list