Fwd: [krbdev.mit.edu #4975] Checksum type 14 undefined

Jeffrey Hutzelman jhutz at cmu.edu
Thu Dec 7 17:43:09 EST 2006

On Thursday, December 07, 2006 05:18:57 PM -0500 Marcus Watts 
<mdw at umich.edu> wrote:

> I've got code that knows 9 is unkeyed SHA1 with key usage 0x99,
> but doesn't actually use it for anything.  I wound up using
> CKSUMTYPE_RSA_MD5==7 because sha1 support didn't seem to be standardized
> enough across implementations to be a dependable feature.
> For instance, Heimdal apparently has CKSUMTYPE_RSA_MD5_DES3 == 9,
> and uses CKSUMTYPE_SHA1 == 14.  shishi didn't have an unkeyed sha-1
> type at all.

Right.  IIRC, cksumtype 14 was reserved for an earlier version of PKINIT, 
before we decided that defining new unkeyed cksumtypes wasn't really a good 
idea.  So, the value is reserved, but its meaning isn't specified anywhere, 
and you certainly shouldn't depend on anyone implementing it.  cksumtype 9 
is in an even more tenuous situation, since different implementations have 
used it to mean different things, and at least one of those usages was 
without benefit of allocation (possibly both).

If you have an application that explicitly needs an _unkeyed_ checksum, 
then RFC3961 is not the framework you're looking for, at least for that 

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the krbdev mailing list