Support for Microsoft Set Password protocol
Nicolas.Williams at sun.com
Tue Apr 1 18:15:29 EST 2003
On Tue, Apr 01, 2003 at 05:32:39PM -0500, Sam Hartman wrote:
> Does the downgrade give the attacker any advantage if the request can
> be stated in the old protocol?
None that I can see, except, perhaps, that the new draft allows the
client to request that the server generate a password and so a downgrade
would prevent the generation of strong passwords - however, I don't
think many users will care for server-generated passwords at all :) so
this is probably not a problem. (I can always remove that protocol
option; perhaps I should).
More information about the krbdev