Support for Microsoft Set Password protocol

Love lha at
Wed Apr 2 10:39:31 EST 2003

Nicolas Williams <Nicolas.Williams at> writes:

> On Wed, Apr 02, 2003 at 05:13:23PM +0200, Love wrote:
>> Why must the API depend on the protocol ?
> Perhaps the API should optionally allow the application to select a
> single protocol version to use to avoid the downgrade attack.

I think that the API should specify that type of security the client
requests. Allow (pointless) downgrade attack, allow unauthenticated error
messages, etc.

Options for functionallity and security, not protocol type/version. Well, a
selection protocol option could exists, but that should be needed to be


More information about the krbdev mailing list