Can you elaborate on the solutions that are being considered and what the timetable is?
Also at the risk of sounding curmudgeonly, what's the hold up? I and others have been banging on about this vulnerability for years now. Why does it take the announcement of a tool to light a fire under people, when the possibility of such a tool has been obvious and well documented in the literature for over 10 years, as have the various possible fixes? There is also some breakdown in communication going on, since there are 1000s of admins out there who have somehow got the message that Kerberos is "unsniffable". Which is true in theory (PKINIT etc), yet in practical terms is far from the truth. I suppose we're lucky that this guy hasn't put a nice GUI on the tool. Yet. Cheers, Frank. Sam Hartman wrote: > You should note that fixing offline dictionary attacks is a current > work item of the Kerberos working group of the IETF; solutions are > basically understood but need to be written up and implemented. > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
