Projects/replay_cache_collision_avoidance and replay cache uses

Jeffrey Altman jaltman at
Mon Jan 5 16:51:37 EST 2009

Nicolas Williams wrote:

> In the case of KRB-PRIV/SAFE the best thing to do is to always use
> sequence numbers, not time, and to always assert sub-session keys.  I'm
> not sure what protocols exist that use KRB-PRIV/SAFE much, but these
> come to mind:
>  - kprop (but not iprop, which is RPC based) (uses sequence numbers)
>  - kpasswd and RFC3244 (uses sequence numbers (at least in the MIT
>    code-base)
>  - set/change password v2 (I forget what the I-D says; I'll make sure it
>    says to use sequence numbers)
> Are there others?  (UName*It uses KRB-PRIV/SAFE, someone might want to
> check what it does.  What about Zephyr and other Athena friends?)

Untold thousands of proprietary in-house applications.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list