[OpenAFS-win32-devel] [Fwd: kfw-3.0-beta-2 is available]

Jeffrey Altman jaltman@secure-endpoints.com
Thu, 01 Dec 2005 12:23:31 -0500


This is a cryptographically signed message in MIME format.

--------------ms090608020200010305080202
Content-Type: multipart/mixed;
 boundary="------------020505070806010700080301"

This is a multi-part message in MIME format.
--------------020505070806010700080301
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

fyi ...



--------------020505070806010700080301
Content-Type: message/rfc822;
 name="kfw-3.0-beta-2 is available"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="kfw-3.0-beta-2 is available"

Return-path: <krbdev-bounces@MIT.EDU>
Authentication-Results: secure-endpoints.com
	smtp.mail=krbdev-bounces@MIT.EDU; spf=softfail; ip-match=fail
Authentication-Results: secure-endpoints.com
	header.from=krbdev-bounces@MIT.EDU; domainkeys= (no key); dkim=neutral (not signed)
X-MDDKIM-Result: neutral (secure-endpoints.com)
X-MDSPF-Result: softfail (secure-endpoints.com)
Received-SPF: softfail (secure-endpoints.com: domain of transitioning krbdev-bounces@MIT.EDU
	does not designate 128.59.28.169 as permitted sender)
	x-spf-client=MDaemon.PRO.v8.1.3.R
	receiver=secure-endpoints.com
	client-ip=128.59.28.169
	envelope-from=<krbdev-bounces@MIT.EDU>
	helo=tepin.cc.columbia.edu
Received: from tepin.cc.columbia.edu (tepin.cc.columbia.edu [128.59.28.169])
	by secure-endpoints.com (secure-endpoints.com)
	(Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v8.1.3.R)
	with ESMTP id md50000009339.msg
	for <jaltman@secure-endpoints.com>; Wed, 30 Nov 2005 19:07:07 -0500
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by tepin.cc.columbia.edu (8.13.0/8.13.0) with ESMTP id jB1045OI027718
	for <jaltman@columbia.edu>; Wed, 30 Nov 2005 19:04:08 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id jB101lpx032074;
	Wed, 30 Nov 2005 19:01:47 -0500
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU
	[18.7.7.80])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id jB100jpx031907;
	Wed, 30 Nov 2005 19:00:45 -0500
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103])
	jB100lwn010736;	Wed, 30 Nov 2005 19:00:47 -0500 (EST)
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU
	[18.18.1.96])	(authenticated bits=56)
	(User authenticated as tlyu@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.13.1/8.12.4) with ESMTP id jB100jxf018258
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Wed, 30 Nov 2005 19:00:45 -0500 (EST)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9)
	id jB100jJ5000816; Wed, 30 Nov 2005 19:00:45 -0500 (EST)
To: kerberos@MIT.EDU, krbdev@MIT.EDU
From: Tom Yu <tlyu@MIT.EDU>
Date: Wed, 30 Nov 2005 19:00:40 -0500
Message-ID: <ldviru98z4n.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Scanned-By: MIMEDefang 2.48 on 128.59.28.169
X-Scanned-By: MIMEDefang 2.42
Subject: kfw-3.0-beta-2 is available
X-BeenThere: krbdev@mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: Kerberos Developers Mailing List <krbdev.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
	<mailto:krbdev-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/krbdev>
List-Post: <mailto:krbdev@mit.edu>
List-Help: <mailto:krbdev-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
	<mailto:krbdev-request@mit.edu?subject=subscribe>
Sender: krbdev-bounces@MIT.EDU
Errors-To: krbdev-bounces@MIT.EDU
X-Lookup-Warning: MAIL lookup on krbdev-bounces@MIT.EDU does not match 128.59.28.169
X-MDRcpt-To: jaltman@secure-endpoints.com
X-Rcpt-To: jaltman@secure-endpoints.com
X-MDRemoteIP: 128.59.28.169
X-Return-Path: krbdev-bounces@MIT.EDU
X-MDaemon-Deliver-To: jaltman@secure-endpoints.com
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05)
X-Spam-Report: 
	*  2.5 MDAEMON_SPF_SOFTFAIL MDaemon: soft-failed SPF verification
	* -4.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
	*      [score: 0.0000]
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,
	MDAEMON_SPF_SOFTFAIL autolearn=no version=3.0.4
X-Spam-Level: 
X-Spam-Processed: secure-endpoints.com, Wed, 30 Nov 2005 19:07:07 -0500

-----BEGIN PGP SIGNED MESSAGE-----

The MIT Kerberos Development Team is proud to announce a public beta
of the next major revision of our Kerberos for Windows product,
Version 3.0.

Version 3.0 provides several often requested new features:

* thread-safe Kerberos 5 libraries (provided by Kerberos 5 release 1.4.3)

* a replacement for the Leash Credential Manager called the Network
  Identity Manager

    - a visually enticing application that takes advantage of all of the
      modern XP style User Interface enhancements

    - supports the management of multiple Kerberos 5 identities in a
      variety of credential cache types including CCAPI and FILE.

    - credentials can be organized by credential cache location or by
      identity

    - a single identity can be marked as the default for use by
      applications that request the current default credential cache

    - Network Identity Manager is built upon the Khimaira Identity
      Management Framework introduced this past summer at the AFS &
      Kerberos Best Practices Conference at CMU.

    - Credential Managers for Kerberos 5 and Kerberos 4 are
      provided. An AFS Credential Manager will be made available by
      Secure Endpoints Inc.
      http://www.secure-endpoints.com

    - The Khimaira framework is a pluggable engine into which custom
      Identity Managers and Credential Managers can be added.
      Organizations interested in building plug-ins for the Network
      Identity Manager may contact Jeffrey Altman at either
      jaltman@mit.edu or jaltman@secure-endpoints.com

* a Kerberos specific WinLogon Network Provider that will use the
  username and password combined with the MIT Kerberos default realm
  in an effort to obtain credentials at session logon

Important changes since the 2.6.5 release:
- -------------------------------------------
* This release requires 32-bit editions of Microsoft Windows 2000 or
  higher.  Support for Microsoft Windows 95, 98, 98 Second Edition,
  ME, and NT 4.0 has been discontinued.  Users of discontinued
  platforms should continue to use MIT Kerberos for Windows 2.6.5.

* Version 3.0 does not include any internal support for AFS.  The
  aklog.exe utility now ships as a part of OpenAFS for
  Windows. <http://www.openafs.org> The AFS credential manager for the
  Network Identity Manager will be shipped separately by Secure
  Endpoints Inc. and will be incorporated into a future release of
  OpenAFS.


Downloads
- ----------
Binaries and source code can be downloaded from the MIT Kerberos web site:
   http://web.mit.edu/kerberos/



Known Bugs and Bug Reports
- --------------------------
* The MSI installer still contains references to the Leash Ticket
   Manager and installs a shortcut to the old Leash documentation
   which is no longer installed.

* The Network Identity Manager cannot distinguish between two
   identities or realms that differ only by the use of upper or
   lower case letters.

Please send reports of new bugs to kfw-bugs@mit.edu.   Additional
feedback can be sent to krbdev@mit.edu.


Acknowledgments
- -----------------
The MIT Kerberos team would like to thank Jet Propulsion Laboratory and
Secure Endpoints Inc. for their support during the development of this
release.



Important notice regarding Kerberos 4 support
- ---------------------------------------------

In the past few years, several developments have shown the inadequacy
of the security of version 4 of the Kerberos protocol.  These
developments have led the MIT Kerberos Team to begin the process of
ending support for version 4 of the Kerberos protocol.  The plan
involves the eventual removal of Kerberos 4 support from the MIT
implementation of Kerberos.

The Data Encryption Standard (DES) has reached the end of its useful
life.  DES is the only encryption algorithm supported by Kerberos 4,
and the increasingly obvious inadequacy of DES motivates the
retirement of the Kerberos 4 protocol.  The National Institute of
Standards and Technology (NIST), which had previously certified DES as
a US government encryption standard, has officially announced[1] the
withdrawal of the Federal Information Processing Standards (FIPS) for
DES.

NIST's action reflects the long-held opinion of the cryptographic
community that DES has too small a key space to be secure.  Breaking
DES encryption by an exhaustive search of its key space is within the
means of some individuals, many companies, and all major governments.
Consequently, DES cannot be considered secure for any long-term keys,
particularly the ticket-granting key that is central to Kerberos.

Serious protocol flaws[2] have been found in Kerberos 4.  These flaws
permit attacks which require far less effort than an exhaustive search
of the DES key space.  These flaws make Kerberos 4 cross-realm
authentication an unacceptable security risk and raise serious
questions about the security of the entire Kerberos 4 protocol.

The known insecurity of DES, combined with the recently discovered
protocol flaws, make it extremely inadvisable to rely on the security
of version 4 of the Kerberos protocol.  These factors motivate the MIT
Kerberos Team to remove support for Kerberos version 4 from the MIT
implementation of Kerberos.

The process of ending Kerberos 4 support began with release 1.3 of MIT
Kerberos 5.  In release 1.3, the default run-time configuration of the
KDC disables support for version 4 of the Kerberos protocol.  Release
1.4 of MIT Kerberos continues to include Kerberos 4 support (also
disabled in the KDC with the default run-time configuration), but we
intend to completely remove Kerberos 4 support from some future
release of MIT Kerberos, possibly as early as the 1.5 release of MIT
Kerberos.

The MIT Kerberos Team has ended active development of Kerberos 4,
except for the eventual removal of all Kerberos 4 functionality.  We
will continue to provide critical security fixes for Kerberos 4, but
routine bug fixes and feature enhancements are at an end.

We recommend that any sites which have not already done so begin a
migration to Kerberos 5.  Kerberos 5 provides significant advantages
over Kerberos 4, including support for strong encryption,
extensibility, improved cross-vendor interoperability, and ongoing
development and enhancement.

If you have questions or issues regarding migration to Kerberos 5, we
recommend discussing them on the kerberos@mit.edu mailing list.

                               References

[1] National Institute of Standards and Technology.  Announcing
     Approval of the Withdrawal of Federal Information Processing
     Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
     Guidelines for Implementing and Using the NBS Data Encryption
     Standard; and FIPS 81, DES Modes of Operation.  Federal Register
     05-9945, 70 FR 28907-28908, 19 May 2005.  DOCID:fr19my05-45

[2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
     Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
     the Network and Distributed Systems Security Symposium. The
     Internet Society, February 2004.
     http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQ449LKbDgE/zdoE9AQHVrQP/YFlrpWClgCTOzt/uI70zEdkqw3bdIVkg
h/ASh/F+lR4zG1w3rmyRg3FRjajle0QC6c3/Ib7ew8cKPeBUwmOU4fvOEhFlnKfa
eO7H57SRc9sUhUPhUG9eEehXuYAzJjsdyyJTJ02my4xJXryKBDdWgMBh+f9hHdad
UlWyYcANXxw=
=nru7
-----END PGP SIGNATURE-----
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

--------------020505070806010700080301--

--------------ms090608020200010305080202
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJXzCC
AwowggJzoAMCAQICAw7NrTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNTI3MTc0NzU3WhcNMDYwNTI3MTc0NzU3
WjBzMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT
SmVmZnJleSBFcmljIEFsdG1hbjErMCkGCSqGSIb3DQEJARYcamFsdG1hbkBzZWN1cmUtZW5k
cG9pbnRzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjPyrF+rdjOUSK/
bWwZHdx5p1+y6iiCd4vvYEVDxouYFp5C/fZEWm5n45ubBUbMSUI1MAZN6ooEoH09UTj6BXhM
S8B987ls81dKOIUphTF2jOzq8gsFmeA15yHMRAD20LqUWeLyvYk8FCNQw+dsKMMhX+WdsxOm
RY/1jPkJL6oN8kEwoUFkOX9/OfWWh6oFnV6faiEHUKDMFubsb9X0KVD8iIeR7Cxz7i4kXqRX
wMlp2fyoxcDIJrBaTY8nA++g3p34IkWt1a5po6g683nIgSnGpwYIwuJheBqSEZfLYWa+1KdD
6Sn27Ud94GqUvPVG5jC6zVC5EJ2aWuoAu+nNuV8CAwEAAaM5MDcwJwYDVR0RBCAwHoEcamFs
dG1hbkBzZWN1cmUtZW5kcG9pbnRzLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA
A4GBADtvO//tjiAV6VJGtoNtrl34mB5jGyGTiotzw8riB6zz0GvY11bcWDmp6JKif+pVG+8L
IySDosbuva13qu2HwYUxBmWc7CoNd2k9kRlcrfbDUTTrGOZK8qyqNqT3gQZTAa9ZnUI0su9G
y/n2o5bQcaYdqR3htNrpvdLSPOWhILOXMIIDCjCCAnOgAwIBAgIDDs2tMA0GCSqGSIb3DQEB
BAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBM
dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0w
NTA1MjcxNzQ3NTdaFw0wNjA1MjcxNzQ3NTdaMHMxDzANBgNVBAQTBkFsdG1hbjEVMBMGA1UE
KhMMSmVmZnJleSBFcmljMRwwGgYDVQQDExNKZWZmcmV5IEVyaWMgQWx0bWFuMSswKQYJKoZI
hvcNAQkBFhxqYWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAqM/KsX6t2M5RIr9tbBkd3HmnX7LqKIJ3i+9gRUPGi5gWnkL99kRa
bmfjm5sFRsxJQjUwBk3qigSgfT1ROPoFeExLwH3zuWzzV0o4hSmFMXaM7OryCwWZ4DXnIcxE
APbQupRZ4vK9iTwUI1DD52wowyFf5Z2zE6ZFj/WM+Qkvqg3yQTChQWQ5f3859ZaHqgWdXp9q
IQdQoMwW5uxv1fQpUPyIh5HsLHPuLiRepFfAyWnZ/KjFwMgmsFpNjycD76DenfgiRa3Vrmmj
qDrzeciBKcanBgjC4mF4GpIRl8thZr7Up0PpKfbtR33gapS89UbmMLrNULkQnZpa6gC76c25
XwIDAQABozkwNzAnBgNVHREEIDAegRxqYWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMAwG
A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAO287/+2OIBXpUka2g22uXfiYHmMbIZOK
i3PDyuIHrPPQa9jXVtxYOanokqJ/6lUb7wsjJIOixu69rXeq7YfBhTEGZZzsKg13aT2RGVyt
9sNRNOsY5kryrKo2pPeBBlMBr1mdQjSy70bL+fajltBxph2pHeG02um90tI85aEgs5cwggM/
MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM
V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z
dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD
VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv
bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5
WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk
LjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2
vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9
A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEw
EgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0
ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R
BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GB
AEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ
Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVN
d+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDOzCCAzcCAQEwaTBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAw7NrTAJBgUrDgMCGgUAoIIBpzAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNTEyMDExNzIzMzFaMCMGCSqG
SIb3DQEJBDEWBBS8UrAlyXiCQSq+MkxLgHkCQEUcrDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3
dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgSXNzdWluZyBDQQIDDs2tMHoGCyqGSIb3DQEJEAILMWugaTBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAw7NrTANBgkqhkiG9w0BAQEFAASC
AQCSTQKPkXB+rB7YnoiBWnnwPicFdaFOowSXRfA8/N1eMmy3wsufRyUcDT+7T6KptHxsy8Y0
xbMLZZ8aB4psjtppyuXQQIA+9zx8nSI9OeAUmnZ/NB2WCd13sooHYAs7a0TCBWUnNgHuZD7/
EhznuJGPMkaFF9Q83bRsbMJEsPd6pCrFsIB2NzUpc+w/ED3RBsZdsJ1Aim9bw3Ps9Q/IgbzE
pLAb77xqQwP9J2xxZHxScn0K8jT55vzHoIxtjcLZ1IT8utZvEgK1qTK7lq/w1N5hAF657/LS
b+IQMztkTJHsdUgJcsda7T3CH1VmcCC/6HGRTAspJaFNZlP9AXOGHElGAAAAAAAA
--------------ms090608020200010305080202--