On Friday, February 24, 2006 10:15:32 AM -0600 "Douglas E. Engert" <[EMAIL PROTECTED]> wrote:
> I am looking for other Kerberos sites that use Oracle with or without the > ASO who would like to see the ASO improved. I would also be interested to > know if you have approached Oracle on improvements, and what was their > response. We've been using Oracle with ANO and Kerberos for some years now. Like you, we'd like to see support for new enctypes, the version 4 fcache format, and a fix to the KRB5CCNAME parsing bug. While we don't currently have any situations where we need non-identity principal->username mappings, as a security protocol designer I think this abstraction is an important one, and it is clearly missing from Oracle. A principal name length limit of 30 characters is clearly too short; we have plenty of principal names over that limit. Fortunately, most of them belong not to users but to services which will never talk to Oracle. More generally, the failure of Oracle to keep portions of their Kerberos code even remotely up to date makes me wonder how well-maintained the rest of it is, and how committed Oracle is to maintianing this security-sensitive code. I'm always a little nervous about "closed" security protocols and code which haven't been subject to outside review, particularly given the amount of snake oil out there. But the lack of attention paid to this particular code really is worrisome. I'll have to check with our DBA's to see if there are any open tickets on these items, or on other Kerberos-related issues. -- Jeff ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
