Ah right, good point! That's why these enc/checksum types were still made out even we know they're deprecated already. Yeah we would deprecate them, not retire or total abandon them. I believe we need some sort of work to revisit this field considering such things. Enc/checksum types are used in various places where they need to be configurable. Different places need different level of secure or strength of encryption and checksum types. Your suggestion sounds good to me, configurable, and also API allowing to set on demand.
Regards, Kai -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]] Sent: Friday, January 08, 2016 10:33 PM To: [email protected] Subject: Re: Cheskum types Le 08/01/16 14:42, Zheng, Kai a écrit : > Yeah, we need to catch up with latest updates in this aspect and deprecate > some of encryption and checksum types for security considerations. I think > this can done prior to 1.0.0, aligning with both MIT Kerberos and Oracle > Java. The question here is : do we want to guarantee a sort of backward compatibility with old (and unsecure) Kerberos implementation ? One option would be to add some configuration element that enable the deprecated Checksum type on demand. That would be totally insane, but you never know what users have to deal with, especially in big companies or administrations ;-) For instance, in France, one airport was shutdown for half a day at the end of last year because one system was running on a ... windows 3.1 computer !!! (http://arstechnica.com/information-technology/2015/11/failed-windows-3-1-system-blamed-for-taking-out-paris-airport/). Have fun ;-)
