Henry B. Hotz hotz at
Tue Sep 2 21:17:07 EDT 2008

On Aug 21, 2008, at 9:08 AM, krbdev-request at wrote:

> Date: Wed, 20 Aug 2008 16:20:52 -0400
> From: Ken Raeburn <raeburn at MIT.EDU>
> Subject: Re: MD5DES_BETA5_COMPAT
> To: Tom Yu <tlyu at MIT.EDU>
> Cc: krbdev at
> Message-ID: <5987DCFE-2F9F-4912-80B9-2B5B91484C1E at>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
> On Aug 20, 2008, at 16:03, Tom Yu wrote:
>> There is some backward compatibility code in the MD5DES and MD4DES
>> keyed hash implementation in our crypto library.  It appears to allow
>> validation of keyed MD5 or MD4 checksums where the sender did not
>> include a confounder.
>> The name macros controlling this compatibility code imply that they
>> were for the "Beta 5" release, which was more than 10 years ago.   
>> Does
>> anyone still require this compatibility hack?
> Perhaps another good question is, does anyone still care about any
> sort of backwards compatibility with pre-1.0 releases?  I believe at
> least one vendor is, or was within the last year or so, still
> supporting 1.0.x clients for some customers.  But we may still be able
> to draw a line at 1.0, if not later....
> Ken

That would be Oracle?  I'm all for encouraging them to upgrade to a  
current Kerberos code base, and wish you luck with that.  After  
spending the time to figure out how to make their K5 support work, I'm  
left wondering if I could ever in good conscience recommend it to  
anyone, since you have to disable non-DES crypto support.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list