Support for Microsoft Set Password protocol

Nicolas Williams Nicolas.Williams at
Wed Apr 2 11:24:04 EST 2003

On Wed, Apr 02, 2003 at 05:39:31PM +0200, Love wrote:
> Nicolas Williams <Nicolas.Williams at> writes:
> > On Wed, Apr 02, 2003 at 05:13:23PM +0200, Love wrote:
> >> Why must the API depend on the protocol ?
> [....]
> > Perhaps the API should optionally allow the application to select a
> > single protocol version to use to avoid the downgrade attack.
> I think that the API should specify that type of security the client
> requests. Allow (pointless) downgrade attack, allow unauthenticated error
> messages, etc.

Well, with the caveat that KRB-ERROR is (for now) always authenticated
plaintext...  Even with extensions there will be circumstances where
KRB-ERROR cannot be authenticated.

The fact that MIT's v1 server responds to version mismatches with a
KRB-ERROR rather than an AP-REP and KRB-PRIV does not help.

Therefore another caveat: allowing a downgrade and negotiating support
for major protocol versions other than 2 means pretty much the same
exact thing.

> Options for functionallity and security, not protocol type/version. Well, a
> selection protocol option could exists, but that should be needed to be
> specified.

Agreed.  Have an optional parameter for specifying the major protocol
version/type or negotiability and let it default according to local/site



More information about the krbdev mailing list