Support for Microsoft Set Password protocol

Nicolas Williams Nicolas.Williams at
Tue Apr 1 18:15:29 EST 2003

On Tue, Apr 01, 2003 at 05:32:39PM -0500, Sam Hartman wrote:
> Does the downgrade give the attacker any advantage if the request can
> be stated in the old protocol?

None that I can see, except, perhaps, that the new draft allows the
client to request that the server generate a password and so a downgrade
would prevent the generation of strong passwords - however, I don't
think many users will care for server-generated passwords at all :) so
this is probably not a problem.  (I can always remove that protocol
option; perhaps I should).



More information about the krbdev mailing list