RFC 4121 & acceptor subkey use in MIC token generation

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Oct 26 14:38:47 EDT 2023


>> Ever hear the political adage, "If you're explaining yourself, you're
>> losing"?.  The same adage applies when talking to security people,
>> especially the non-technical ones.  The common gss-keyex code out there
>> calls the OpenSSL MD5 function at runtime, and some of the distributions
>> that do ship the gss-keyex code (RedHat) decided to simply disable
>> gss-keyex code when FIPS is turned on.  So yes, you CAN hardcode the
>> OID->name mappings, but it seems that nobody actually does that.
>
>We accept PRs.

I am SO many levels down from the people that manage the licenses that
figuring out how to file a PR upwards through the various levels of the
DoD would probably take me a few days (I don't have to convince RedHat
there's a problem, I have to convince those gatekeepers that there's
a problem first, that's where things go sideways).  And those people are
the kind of people that as soon as the hear "MD5" and "FIPS mode" in
the same sentence, they're going to say, "THAT'S NOT ALLOWED".

--Ken


More information about the Kerberos mailing list