On 8/12/2014 6:06 PM, Viktor Dukhovni wrote: > On Tue, Aug 12, 2014 at 04:22:21PM -0400, Salz, Rich wrote: > >> Can you take a look at http://rt.openssl.org/Ticket/Display.html?id=549 >> And let us know what you think? > > I contribute bits of code to MIT and Heimdal Kerberos and maintain > a Kerberos infrastructure for a living. I would like to see OpenSSL > remove all support for the obsolete Kerberos-V5 cipher-suites. > > The modern way to combine Kerberos with TLS is GSSAPI with channel > binding. The old crufty Kerberos support should be deleted from > "master". No new features should be added to this code.
Viktor, RFC 2712 is a Proposed Standard. I agree with you wholeheartedly that no one should ever use it again because of its dependence on DES and only DES. An Internet Draft should be submitted to the IETF TLS Working Group to change the status to Historic and reference RFC 6649 "Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos" as the justification. I also agree that OpenSSL should consider removing the functionality. That being said I know that there are entities that did rely upon it. OpenSSL does not build with this support by default and it would bad form to remove it from an existing release series. Removal on the current master branch should not be an issue. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature