[OpenAFS-devel] [FYI] Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009

Dean Anderson dean@av8.com
Thu, 29 Jan 2009 16:53:34 -0500 (EST)


Some AFS sites are still using kerberos 4.  I don't think removing DES
from latest Kerb. 5 is going to matter much.  I think AFS doesn't just
take the latest Kerberos code, anyway.

Your announcement also affects DCE, btw. I'll forward it to some DCE
lists. You should also try to consult M$, since Windows is heavily
dependent M$ own implementation of DCE, and relies on kerberos
underneath it all.  I have been meaning to update a DCE RFC (M$ has
added a bunch of RPC assigned values, and we should track that) and have
also been meaning to get a free implemenation of DCE RSA working. OSF
did an implementation with BSAFE back in the day, but BSAFE is not free.
Though, unfortunately, none of this is very useful to AFS since its all
in the RPC layer. Sorry, folks.

Still, I don't see what the point is in removing DES from Kerberos
distribution. There are many weak ciphers that are sometimes used merely
because they are fast, or for historical reasons. How about for
demonstration of the crypto methods to break it? Surely, DES doesn't put
a maintenance burden on Kerberos???

		--Dean

On Thu, 29 Jan 2009, Sam Hartman wrote:

> 
> 
> Folks, I wanted to draw the attention of the AFS development community to a proposal under review
> within the MIT Kerberos development community.
> Comments on this proposal should be sent to krbdev@mit.edu.
> 
> The basic goal is to remove single DES from MIT Kerberos.  That makes
> sense for security reasons.  It also makes using AFS rather difficult.
> There are a lot of different things it could mean to disable DES, some
> of them requiring more twiddling to deal with AFS than others.  I
> think it would be great to make sure AFS developers are involved in
> the discussion to help balance the security vs usability tradeoff.
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000