On Fri, Nov 16, 2007 at 03:50:16PM -0800, Russ Allbery wrote: > John Washington <[EMAIL PROTECTED]> writes: > > > I would definitely add aes128-cts-hmac-sha1-96 and > > aes256-cts-hmac-sha1-96, as Microsoft is adding these to AD (and I > > prefer good encryption, not really broken encryption) > > Is there any reason to add the 128-bit keys? So far, it seems like > everyone who can do 128-bit can also do 256-bit, but maybe that isn't true > of the upcoming Windows release? (They're both equally export-controlled, > so far as I know.)
It isn't true for Solaris 10 without the supplemental cryptography packages -- I don't recall if this changed in S10U4 or will change in U5, but we're definitely moving towards delivering 256-bit key length support by default. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
