[1775] in Kerberos_V5_Development
Re: protocol flaw (160 lines) (was: krbdev vs krbcore)
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Sat Sep 21 16:49:21 1996
Date: Sat, 21 Sep 1996 16:49:15 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: bjaspan@MIT.EDU
Cc: marc@MIT.EDU, don@cam.ov.com, krbcore@MIT.EDU
In-Reply-To: <199609212046.QAA15348@beeblebrox.MIT.EDU> (bjaspan@MIT.EDU)
Note that a KDC that wanted to support this PA type would have to be
able to index the database by both principal names and hashed
principal names...
Actually, this isn't true, the KDC could just automatically hash the
principal names in all normal requests before looking them up, thus
only keeping the db indexed by hashed values.
So... this idea seems to be very easy to implement, compatible with
the existing protocol, and it provides a bona-fide security
improvement. Sounds like a winner to me...
Barry
