review of Projects/replay_cache_collision_avoidance, ending Jan. 12

Nicolas Williams Nicolas.Williams at
Tue Dec 30 15:41:13 EST 2008

On Sun, Dec 28, 2008 at 05:04:25PM -0500, Tom Yu wrote:

 - This needs to be updated since we seem to agree that the
   authenticator cleartext should not be used.

 - In "Is this a long term fix for the problem?" the wiki says that
   "[the need to reject AP-REQs during the replay cache recovery time]
   implies that at the very least a change in file format would result
   in an outage."

   That's not really true.  You could populate the new format file with
   records from the old one, provided you had an option for hash-less
   entries in the new format...


More information about the krbdev mailing list