>In practice, 3DES has no problems here, but AES keys can confuse really >old clients.
A slight expansion on this. Clients from the MIT 1.0.x era would reject service tickets if they were encrypted with an enctype they didn't know about (since clients don't decrypt service tickets they shouldn't need to care about the enctype). The exception to this was the TGT (it used a different codepath). So you could have an AES TGT (for example) and it would work fine even though AES keys for service principals would not (3DES had the same issue from what I remember). I believe this was fixed in the 1.1 or 1.2 timeframe. --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
