[28751] in Kerberos
Re: Adding supported enctypes to kdc
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Fri Nov 16 19:13:44 2007
Date: Fri, 16 Nov 2007 18:13:15 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20071117001315.GJ24648@Sun.COM>
Mail-Followup-To: Russ Allbery <rra@stanford.edu>, kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87abpdrbrb.fsf@windlord.stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Nov 16, 2007 at 03:50:16PM -0800, Russ Allbery wrote:
> John Washington <jawashin@uiuc.edu> writes:
>
> > I would definitely add aes128-cts-hmac-sha1-96 and
> > aes256-cts-hmac-sha1-96, as Microsoft is adding these to AD (and I
> > prefer good encryption, not really broken encryption)
>
> Is there any reason to add the 128-bit keys? So far, it seems like
> everyone who can do 128-bit can also do 256-bit, but maybe that isn't true
> of the upcoming Windows release? (They're both equally export-controlled,
> so far as I know.)
It isn't true for Solaris 10 without the supplemental cryptography
packages -- I don't recall if this changed in S10U4 or will change in
U5, but we're definitely moving towards delivering 256-bit key length
support by default.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
