[openssl-dev] Kerberos

[Blumenthal, Uri - 0553 - MITLL]

I'm hesitant to remove this capability altogether, but your argument is convincing. 
In view of the progress recently made in the quantum computing field, I think it would be nice to strengthen symmetric crypto capabilities (such as Kerberos), but that implies a lot of work (which I'm not volunteering for :). 

Between a rock and a hard place. :-)


----- Original Message -----
From: Matt Caswell [mailto:matt at openssl.org]
Sent: Tuesday, May 05, 2015 08:56 AM
To: openssl-dev at openssl.org <openssl-dev at openssl.org>
Subject: Re: [openssl-dev] Kerberos



On 05/05/15 13:22, Blumenthal, Uri - 0553 - MITLL wrote:
> What are the problems?

The code as it exists today is not compiled by default. I recently fixed
a set of issues in master that had not been spotted simply because the
code is not regularly compiled and used. One possible solution to that
is to turn it on by default...but I think that is worse since it
unnecessarily increases the attack surface for those that don't use it
(the vast majority). As it turns out the "--with-krb5-include" Configure
option has not been working correctly in 1.0.2 since it was
released...but no-one noticed.

Due to the infrequency with which it is being used in practice this
means that the code is not being kept up to date. There are some
technical issues (including its use of single DES) which mean the
existing solution is not fit-for-purpose. Viktor is probably better
placed to elaborate on those.

Either we should invest in the effort to bring it up to a suitable
standard or we get rid of it. Given that (I believe) very few people are
using it, it seems more sensible to get rid of it. Part of the purpose
of my email was to gauge whether I was right that very few people are
using it.

Matt
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev