On Fri, 2010-06-04 at 12:24 -0400, Richard E. Silverman wrote: > I tracked down the bug.
With apologies for being a pain in the butt, I'm not sure we understand the situation well enough to safely make a change. Providing zero-length input data is not the same as not providing any input data. The change you suggested could have interoperability or security ramifications if an application genuinely wants to checksum the empty string in an authenticator. Moreover, the mk_req_ext behavior you're proposing to change did not change between 1.6 and current. The behavior of callers may have changed, of course. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
