On Wed, Oct 15, 2008 at 03:48:21PM +0200, Mark Phalan wrote: > > Does OpenSolaris have any latitude in changing the attributes or do they > > need to be kept verbatim as > > they come from MIT code drops? > > We have latitude but generally we like to remain as compatible with > upstream as possible.
Right. Differing from MIT -> more merge/sync work down the line (and/or more work to do to get Solaris' differences integrated into MIT krb5). > > If we do, then the choice of boolean flag_RSA_PROTOCOL[=yes] excluded other > > key exchange algorithms, such as ECC. > > As PKINIT (RFC 4556) doesn't support ECC key exchange I don't see an > immediate need for this and is not worth (in my opinion) breaking MIT > compatibility for it now. I should note that this config file option is > "Volatile". FYI, RFC5349 adds ECDH support for PKINIT. Note though that flag_RSA_PROTOCOL does not preclude any ECC enhancements. It merely enables one key exchange method (RSA key transport) for PKINIT. One supposes that that means that we can expect more boolean flag_<key_exch_method>_PROTOCOL parameters. The "flag_" prefix is annoying (read: redundant), but I'll live. IOW, this parameter is not a problem. Nico --
