Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
Sam Hartman
hartmans at MIT.EDU
Thu Jan 29 12:43:08 EST 2009
>>>>> "Ken" == Ken Raeburn <raeburn at MIT.EDU> writes:
Ken> On Jan 28, 2009, at 21:16, Tom Yu wrote:
>> Please review the project
>> http://k5wiki.kerberos.org/wiki/Projects/Disable_DES
Ken> I don't think "in the future, in a separate project, [we will
Ken> make X set of changes]" should be a part of this project
Ken> proposal. Maybe you can mention in general terms what you
Ken> anticipate will be done, but if you write what *will* be
Ken> done, either you're proposing those changes for review now
Ken> (and implementation later) and should provide a commensurate
Ken> level of detail, or you're asserting that they'll be done,
Ken> without review. In this case, I don't think we should be
Ken> getting into details of "permitted_enctypes" config option
Ken> processing now. You even say it's a separate project; if you
Ken> want to review the details now, write it up as a separate
Ken> project.
I'd be happy with rewording, but I do actually want to have a bit of a discussion and review now about what wwe want eventual interfaces to be here.
Ken> There's no discussion of the impact on existing deployments
Ken> when updating clients, servers, or KDCs, or what will or
Ken> won't work if you don't set allow_weak_crypto=yes. It will
Ken> need to be well documented, both in our regular documentation
Ken> (man pages, install and admin guides) and prominently in the
Ken> release notes.
Right. I think the impact needs to be discussed enough for us to
review the project and the project plan needs to include effort for
documentation. i think shipping the code change without the
documentation changes would be confusing in this instance.
More information about the krbdev
mailing list