Info regarding MIT 1.8 Crypto modularity feature.
jaltman at secure-endpoints.com
Mon Aug 16 10:25:46 EDT 2010
On 8/16/2010 9:48 AM, Zhanna Tsitkova wrote:
> The selection of the crypto backend happens during the configure/build
> For example, to use openssl cryptography one needs to configure MIT
> Kerberos with option --with-crypto-impl=openssl. If this option is
> omitted, the default crypto. i.e. builtin, will be used.
> Only one crypto implementation per Kerberos crypto library is
> supported. This means that client/server does not have an option to
> specify the type of the desired crypto implementation during run-time.
> That said, it would be interesting to learn about the use case when
> one needs to have an option to switch between crypto implementations
> at run-time.
The most common use cases would be:
* FIPS 140.2 vs non-FIPS modes. In general non-FIPS will be faster
but for some situations a FIPS mode is required.
* Shipping a binary that can support hardware and non-hardware
* End user performance testing.
More information about the krbdev