RFC 6542 adopted by MIT krb5?

Benjamin Kaduk kaduk at MIT.EDU
Thu Oct 15 22:22:45 EDT 2015

On Thu, 15 Oct 2015, Wang Weijun wrote:

> The TLS guys in our team are talking about removing SHA-1 and I am asked
> what we can do on Kerberos. I said we only need for a little while
> because the SHA-2 related etypes are already in an IETF draft. And then
> I notice we are still using MD5. :-(

It will be more than "a little while" before the SHA-2 enctypes are widely
deployed, I fear.  Of course, the SHA-1 ones use HMAC-SHA1, but it is
harder to convince people that HMAC is different than to have an
alternative deployed.


More information about the krbdev mailing list