GSSAPI interoperability problem between Java 1.5 & MIT Kerberos
Sam Hartman
hartmans at MIT.EDU
Tue Jan 10 15:28:41 EST 2006
>>>>> "Seema" == Seema Malkani <Seema.Malkani at Sun.COM> writes:
Seema> Apparently this problem is seen only when using
Seema> "des-cbc-crc" as the encryption type.
Seema> MIT Kerberos uses Sign Alg of (DES MAC MD5 - 00 00) for
Seema> both "des-cbc-crc" and "des-cbc-md5" enctypes. Latest RFC's
Seema> don't seem to indicate this. Can MIT team comment on this.
so, as this is an older enctype, RFC 1964 is the governing spec.
I don't think anything in RFC 1964 depends on what enctype is used.
The only factor as far as RFC 1964 is concerned is whether a key is a
DES key or not.
That's consistent with how RFC 1510 thought about enctypes.
In particular RFC 1964 does not mention des-cbc-md4 or des-cbc-crc at
all.
I do agree it is sub-optimal that the MIT implementation does not
support des-mac. I'm not at all sure it is worth fixing; it would be
years before we got the fix everywhere and it does not seem that DES's
lifetime is that long.
--Sam
More information about the krbdev
mailing list