David Ressman wrote: > As it's been pointed out to me, many of our peer institutions have > accepted the risk and have set up trusts in their production domains > using des-cbc keys. What do they know that I don't?
David: The MIT Kerberos team worked with the Microsoft Windows Security team to make sure that RC4-HMAC could be used for cross-realm authentication by Windows Server specificly because of the concerns you raise. DES keys are very weak and if they must be used because that is all that is supported, then they keys must be replaced on a very regular basis until such time as they no longer need to be used. With 2003 Server SP1 there should no longer be a reason to use DES keys for anything but compatibility with Java 1.5 and earlier. Jeffrey Altman -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
