Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
simon at sxw.org.uk
Thu Jan 29 13:38:52 EST 2009
On 29 Jan 2009, at 02:16, Tom Yu wrote:
> Please review the project
> The review period ends on February 13, 2009.
> This project aims to disable single-DES cryptosystems by default. The
> "allow_weak_crypto" libdefaults setting (which is compatible with
> Heimdal) will override this disabling. Note that a more general means
> of configuring enctypes, allowing for explicit inclusions and
> exclusions, is out of scope for this project for time reasons but is
> clearly a better way to accomplish this functionality.
I'd like to see some consideration of making this switch more
granular. Many of us are in a situation where we'd love to get rid of
single DES, but we have some protocols (AFS in particular, but I'm
sure there are places with other locally developed protocols which
have similar problems) which rely upon single DES being available.
Would it be possible to consider providing a configurable white list,
where DES can be defined as acceptable for certain service principals?
This would provide an easy mechanism for sites to disable single DES
in general, but still have it for a certain limited set of uses.
More information about the krbdev