[OpenAFS] (no subject)

Brandon Allbery allbery.b@gmail.com
Tue, 22 Nov 2011 23:50:29 -0500


--f46d0444ea0fbd1d9404b25fa8b6
Content-Type: text/plain; charset=UTF-8

On Tue, Nov 22, 2011 at 23:35, Atro Tossavainen
<openafs@atrotossavainen.fi>wrote:

> If OpenAFS with Kerberos 5 still uses single DES only, how is it
> fundamentally better security-wise than using kaserver...?
>

The Kerberos 4 protocol (including the ancient variant used by kaserver)
has significant *structural* security flaws, over and above those related
to enctypes.

-- 
brandon s allbery                                      allbery.b@gmail.com
wandering unix systems administrator (available)     (412) 475-9364 vm/sms

--f46d0444ea0fbd1d9404b25fa8b6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">On Tue, Nov 22, 2011 at 23:35, Atro Tossavainen <span dir=
=3D"ltr">&lt;<a href=3D"mailto:openafs@atrotossavainen.fi">openafs@atrotoss=
avainen.fi</a>&gt;</span> wrote:<br><div class=3D"gmail_quote"><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid=
;padding-left:1ex;">
If OpenAFS with Kerberos 5 still uses single DES only, how is it<br>
fundamentally better security-wise than using kaserver...?<br></blockquote>=
<div><br></div><div>The Kerberos 4 protocol (including the ancient variant =
used by kaserver) has significant *structural* security flaws, over and abo=
ve those related to enctypes.</div>
</div><div><br></div>-- <br>brandon s allbery =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"mailto:allbery.b@gmail.com" targe=
t=3D"_blank">allbery.b@gmail.com</a><br>wandering unix systems administrato=
r (available) =C2=A0 =C2=A0 (412) 475-9364 vm/sms<br>
<br>
</div>

--f46d0444ea0fbd1d9404b25fa8b6--