near-term strategy for "disable DES" effort

Tom Yu tlyu at MIT.EDU
Fri Jan 30 14:20:54 EST 2009

Near term (krb5-1.7-alpha1 timeline) strategy for the "disable DES"
effort will include the following:

* Remove single-DES enctypes from the "supported_enctypes" list for
  libkadm5.  This will prevent kadmind from creating new single-DES
  long-term keys unless explicitly configured otherwise.  This may
  cause problems for users running old client software, and I
  encourage you to propose strategies for mitigating this issue.

* Implement the "allow_weak_crypto" libdefault setting.  I was leaning
  in favor of "false" but recent discussion of the transition issues
  is calling that into question.  Unless I hear strong objections, I
  will assert that defaulting to "false" is acceptable for the alpha
  release and am willing to reconsider prior to final release.

We expect to make the release branch and the krb5-1.7-alpha1 release
later today.

I will continue to update the project proposal and gather opinions on
future progress of this effort.

Tom Yu
Development Team Leader
MIT Kerberos Consortium

More information about the krbdev mailing list