krb5-1.9-beta1 is available

Tim Alsop Tim at
Fri Nov 5 05:08:12 EDT 2010


Thanks. I am pleased that it is only considered to be short term solution, but I am wondering if anybody will implement something which is short term and has so many weaknesses.

Our solution is already RSA Certified - just visit and search for Kerberos. Do MIT also plan to get RSA to certify the MIT 1.9 solution ?

Take care,

-----Original Message-----
From: Tom Yu [mailto:tlyu at] 
Sent: 04 November 2010 20:21
To: Tim Alsop
Cc: krbdev at MIT.EDU
Subject: Re: krb5-1.9-beta1 is available

Tim Alsop <Tim at> writes:

> Hi,
> Is the RA SecurID support based on the SAM protocol, so that Kerberos 
> password is still required ?

This is based on the SAM-2 protocol.

> We have supported this for about 10 years in our KDC and find that 
> most customers prefer a method which is not using Kerberos password, 
> and hence the new RSA OTP draft is preferred.

> I am therefore wondering why a SAM based solution has been chosen ?

The SAM solution is an interim measure to support existing deployments, and is not our long-term strategy for OTP.  The current draft draft-ietf-krb-wg-otp-preauth-13 is more promising as a long-term OTP strategy, because it is intended to work with FAST.

More information about the krbdev mailing list