[36040] in Kerberos
Re: Crypto backends for MIT Kerberos V5
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Apr 15 00:27:06 2014
Message-ID: <534CB50B.4010906@mit.edu>
Date: Tue, 15 Apr 2014 00:26:51 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Arpit Srivastava <arpit.orb@gmail.com>, kerberos <kerberos@mit.edu>
In-Reply-To: <CAEvOXU634TLvXxr4QGHYPa5HOwhFCJR9t_eU=5mkk=O97Wzz5Q@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 04/14/2014 07:41 AM, Arpit Srivastava wrote:
> 1. Is built-in crypto backend enough for PKINIT to work or do we need
> anything else in addition for that ?
PKINIT uses OpenSSL (by default) or NSS (if explicitly built that way)
for public-key crypto operations. It uses libk5crypto for RFC 3961
operations, and any of the libk5crypto modules is fine for that.
> 2. Has built-in crypto backend been tested against vulnerabilities and
> how abt support offered by the community if any issue related to builtin
> crypto backend is reported in future ?
It's the default module and is used by most downstream distributors
(with the exception of Solaris), so it receives plenty of testing and
support.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
