On Mon, Jul 15, 2019 at 02:19:22PM +0100, Matt Caswell wrote: > > > On 15/07/2019 13:58, Tomas Mraz wrote: > > > > > I understand that for the current digest algos implemented in the > > legacy provider the problem might not be as pressing as these > > algorithms are not widely used however which other algorithms are going > > to be moved into the legacy provider? > > My guess is that the ones likely to give us the most problems would be DES, > DSA > and RC4
To add a bit of anecdata, Debian and Fedora are removing DES support from (MIT) krb5. So far all we've seen as bug reports are that the kernel may still have that enctype in its list to use for NFS (as well as other, still-useful, ones), and so we need to ignore it instead of bailing. But given that it provides only ca. $20 of protection, it's not especially surprising that we aren't seeing much using it. On the other hand, krb5 is not going around and disabling RC4, even though RFC 8429 is a thing. -Ben