Fedora crypto consolidation

Nicolas Williams Nicolas.Williams at sun.com
Tue Mar 25 17:45:45 EDT 2008

On Tue, Mar 25, 2008 at 03:48:40PM -0400, Sam Hartman wrote:
> I think we would definitely be interested in working with Redhat to
> try and find designs that avoided API breaks if possible.
> I assume the big issue is keyblocks?

Note that we've already has made changes to our MIT krb5-derived Solaris
Kerberos stack to use PKCS#11 for all crypto operations.

We resolved the krb5_keyblock size, layout and key derivation cache
issues in a way that we had the luxury to do because we'd not then yet
exposed the krb5 API.  However, I believe these issues could be resolved
in MIT krb5 without breaking the API.

I don't know for sure, but we might prefer to donate that code (i.e.,
under the MIT license, rather than the CDDL) so as to preserve our


More information about the krbdev mailing list