On Tue, Aug 12, 2014 at 11:17:36PM -0400, Jeffrey Altman wrote:
> > The modern way to combine Kerberos with TLS is GSSAPI with channel
> > binding. The old crufty Kerberos support should be deleted from
> > "master". No new features should be added to this code.
>
> RFC 2712 is a Proposed Standard. I agree with you wholeheartedly that
> no one should ever use it again because of its dependence on DES and
> only DES. An Internet Draft should be submitted to the IETF TLS Working
> Group to change the status to Historic and reference RFC 6649 "Deprecate
> DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos"
> as the justification.
>
> I also agree that OpenSSL should consider removing the functionality.
> That being said I know that there are entities that did rely upon it.
> OpenSSL does not build with this support by default and it would bad
> form to remove it from an existing release series. Removal on the
> current master branch should not be an issue.
That's what I am proposing. Leave it in place in 0.9.8 (almost
EOL) and 1.0.x (stable releases), but remove from "master (1.1.0-dev).
As for writing drafts to deprecate these, I am to my ears in DANE
and Opportunistic Security, so someone else will have to take that
on.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
