Henry B. Hotz
hotz at jpl.nasa.gov
Tue Sep 2 21:17:07 EDT 2008
On Aug 21, 2008, at 9:08 AM, krbdev-request at mit.edu wrote:
> Date: Wed, 20 Aug 2008 16:20:52 -0400
> From: Ken Raeburn <raeburn at MIT.EDU>
> Subject: Re: MD5DES_BETA5_COMPAT
> To: Tom Yu <tlyu at MIT.EDU>
> Cc: krbdev at mit.edu
> Message-ID: <5987DCFE-2F9F-4912-80B9-2B5B91484C1E at mit.edu>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
> On Aug 20, 2008, at 16:03, Tom Yu wrote:
>> There is some backward compatibility code in the MD5DES and MD4DES
>> keyed hash implementation in our crypto library. It appears to allow
>> validation of keyed MD5 or MD4 checksums where the sender did not
>> include a confounder.
>> The name macros controlling this compatibility code imply that they
>> were for the "Beta 5" release, which was more than 10 years ago.
>> anyone still require this compatibility hack?
> Perhaps another good question is, does anyone still care about any
> sort of backwards compatibility with pre-1.0 releases? I believe at
> least one vendor is, or was within the last year or so, still
> supporting 1.0.x clients for some customers. But we may still be able
> to draw a line at 1.0, if not later....
That would be Oracle? I'm all for encouraging them to upgrade to a
current Kerberos code base, and wish you luck with that. After
spending the time to figure out how to make their K5 support work, I'm
left wondering if I could ever in good conscience recommend it to
anyone, since you have to disable non-DES crypto support.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev