RFC 6542 adopted by MIT krb5?

Wang Weijun weijun.wang at oracle.com
Thu Oct 15 21:52:06 EDT 2015

> On Oct 16, 2015, at 2:00 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 10/15/2015 04:00 AM, Wang Weijun wrote:
>> We (Java team at Oracle) are going through weak algorithms in all our code and noticed our krb5 GSS-API mech is using MD5 in channel binding. I noticed RFC 6542 already updated it. Does MIT krb5 support it?
> To the best of my knowledge, we haven't implemented it yet.

Is there a plan?

The TLS guys in our team are talking about removing SHA-1 and I am asked what we can do on Kerberos. I said we only need for a little while because the SHA-2 related etypes are already in an IETF draft. And then I notice we are still using MD5. :-(


More information about the krbdev mailing list