Fwd: [krbdev.mit.edu #4975] Checksum type 14 undefined
Tom Yu
tlyu at MIT.EDU
Thu Dec 7 16:34:33 EST 2006
>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
Kevin> If the Windows 2003 KDC returns a pkinit reply with a checksum rather
Kevin> than the insecure nonce, it uses checksum type 14. This type is defined
Kevin> in RFC3961, but not in the current code. I'm assuming that
Kevin> Vista/Longhorn will also use this checksum type.
Kevin> If we hack the pkinit code to use checksum type 9 when we get back 14,
Kevin> it works. I do not know if a simple alias of type 9 is the correct answer.
Does anyone depend on cksum type 9 being unkeyed SHA1? I'm not sure
whether RFC 3961's assignment precedes the use in our implementation
or not.
---Tom
More information about the krbdev
mailing list