On Thu, 2014-02-20 at 13:14 -0600, Troy Benjegerdes wrote: > I remember hearing lots of arguments that getting rid of DES keys would take > tens or hundreds of thousands of dollars, and that 'developers need to eat' > etc etc. > > Then one day an exploit was announced, and all of a sudden we got > http://www.openafs.org/pages/security/how-to-rekey.txt
This did not get rid of DES keys except in some limited contexts; the cache manager still uses a DES session key, and fixing this still requires money. (Which YFS has invested for its product, and MIT is funding for OpenAFS --- but the latter gets us exactly one person working on it.) Yes, I know you're living in a very different world. Problem there is that nobody else using AFS is living in that world or able to live in that world. Must be nice. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
