Secure Endpoints has pushed fixes to https://github.com/heimdal/heimdal for both the 'master' (aka pre-1.6) and 'heimdal-1-5-branch' branches. With the HEAD of each branch the following is now true:
1. The svc_use_strongest_session_key option does not need to be enabled. If you choose to enable it you can. 2. If the afs/* service principal does not have a 1des key and the client requests a 1des key, a 1des session key can be issued. 3. a 1des session key or service ticket key can be issued for afs/* service principals even if 'allow_weak_crypto' is not enabled. Thanks to Stanford University and KTH for testing. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
