On 10/09/2013 11:05 AM, Rick van Rein (OpenFortress) wrote: > Hello Hans-Juergen, > >> Are there any plans to implement the Kerberos STARTTLS extension (RFC 6251)? > I'd be interested to learn why you would like to have this, given that > Kerberos is already designed to run over untrusted networks? > > I'm architecting Kerberos into http://networkeffectalliance.org/ so I'd love > to learn about any pros and cons. > > > Thanks, > -Rick
The plain network traffic between client and KDC is vulnerable to dictionary attacks on weak user passwords. There are already tunneling mechansims available for MIT Kerberos like PKINIT and FAST but I find them rather complicated to implement. TLS would make things definitely easier. The GNU Kerberos solution shishi has support for TLS for example. Hans-Juergen ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
