near-term strategy for "disable DES" effort
tlyu at MIT.EDU
Fri Jan 30 14:20:54 EST 2009
Near term (krb5-1.7-alpha1 timeline) strategy for the "disable DES"
effort will include the following:
* Remove single-DES enctypes from the "supported_enctypes" list for
libkadm5. This will prevent kadmind from creating new single-DES
long-term keys unless explicitly configured otherwise. This may
cause problems for users running old client software, and I
encourage you to propose strategies for mitigating this issue.
* Implement the "allow_weak_crypto" libdefault setting. I was leaning
in favor of "false" but recent discussion of the transition issues
is calling that into question. Unless I hear strong objections, I
will assert that defaulting to "false" is acceptable for the alpha
release and am willing to reconsider prior to final release.
We expect to make the release branch and the krb5-1.7-alpha1 release
I will continue to update the project proposal and gather opinions on
future progress of this effort.
Development Team Leader
MIT Kerberos Consortium
More information about the krbdev