Le 08/01/16 14:42, Zheng, Kai a écrit : > Yeah, we need to catch up with latest updates in this aspect and deprecate > some of encryption and checksum types for security considerations. I think > this can done prior to 1.0.0, aligning with both MIT Kerberos and Oracle > Java.
The question here is : do we want to guarantee a sort of backward compatibility with old (and unsecure) Kerberos implementation ? One option would be to add some configuration element that enable the deprecated Checksum type on demand. That would be totally insane, but you never know what users have to deal with, especially in big companies or administrations ;-) For instance, in France, one airport was shutdown for half a day at the end of last year because one system was running on a ... windows 3.1 computer !!! (http://arstechnica.com/information-technology/2015/11/failed-windows-3-1-system-blamed-for-taking-out-paris-airport/). Have fun ;-)
