Review of ending February 13, 2009

Simon Wilkinson simon at
Thu Jan 29 13:38:52 EST 2009

On 29 Jan 2009, at 02:16, Tom Yu wrote:

> Please review the project
> The review period ends on February 13, 2009.
> This project aims to disable single-DES cryptosystems by default.  The
> "allow_weak_crypto" libdefaults setting (which is compatible with
> Heimdal) will override this disabling.  Note that a more general means
> of configuring enctypes, allowing for explicit inclusions and
> exclusions, is out of scope for this project for time reasons but is
> clearly a better way to accomplish this functionality.

I'd like to see some consideration of making this switch more  
granular. Many of us are in a situation where we'd love to get rid of  
single DES, but we have some protocols (AFS in particular, but I'm  
sure there are places with other locally developed protocols which  
have similar problems) which rely upon single DES being available.

Would it be possible to consider providing a configurable white list,  
where DES can be defined as acceptable for certain service principals?  
This would provide an easy mechanism for sites to disable single DES  
in general, but still have it for a certain limited set of uses.



More information about the krbdev mailing list