Fwd: [krbdev.mit.edu #4975] Checksum type 14 undefined
Jeffrey Hutzelman
jhutz at cmu.edu
Thu Dec 7 17:43:09 EST 2006
On Thursday, December 07, 2006 05:18:57 PM -0500 Marcus Watts
<mdw at umich.edu> wrote:
> I've got code that knows 9 is unkeyed SHA1 with key usage 0x99,
> but doesn't actually use it for anything. I wound up using
> CKSUMTYPE_RSA_MD5==7 because sha1 support didn't seem to be standardized
> enough across implementations to be a dependable feature.
> For instance, Heimdal apparently has CKSUMTYPE_RSA_MD5_DES3 == 9,
> and uses CKSUMTYPE_SHA1 == 14. shishi didn't have an unkeyed sha-1
> type at all.
Right. IIRC, cksumtype 14 was reserved for an earlier version of PKINIT,
before we decided that defining new unkeyed cksumtypes wasn't really a good
idea. So, the value is reserved, but its meaning isn't specified anywhere,
and you certainly shouldn't depend on anyone implementing it. cksumtype 9
is in an even more tenuous situation, since different implementations have
used it to mean different things, and at least one of those usages was
without benefit of allocation (possibly both).
If you have an application that explicitly needs an _unkeyed_ checksum,
then RFC3961 is not the framework you're looking for, at least for that
application.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the krbdev
mailing list