[1160] in Kerberos_V5_Development
Re: CVS branches for releases
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Fri May 10 16:38:34 1996
Date: Fri, 10 May 1996 16:33:09 -0400
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krbdev@MIT.EDU, ghudson@MIT.EDU
In-Reply-To: Sam Hartman's message of 10 May 1996 11:33:52 -0400,
<tslk9ykr19b.fsf@tertius.mit.edu>
The Krb5 tree has been in a state of gradual congealing for the past
couple of weeks; only bug fixes or changes which have been specifically
cleared by me should be checked in at this point.
I still have some critical crypto/algorithm changes which have to get
checked in, dealing with the RFC-1510 differences document. I need to
type up some of the decisions that Cliff and I made when we finally had
a chance to confer this week, but the basic idea is given the recent
work in finding collisions in the MD5 compression function (10 hours on
a Pentium PC), MD5 and DES are roughly at the same level of strength,
and it's probably not worth it to do a long, involved changeover to get
everyone implementing DES/MD5 correctly (i.e. allocate a new checksum
type number, and do the whole backwards compatibility thing).
It's probably better to document the old (broken) implementation
behavior in RFC-1510bis, and then make a strong statement in RFC-1510bis
that the preferred long-term algorithm to support is 3DES and SHA. For
this reason, although I don't expect to get all of the algorithm issues
settled before Beta 6, we should get the 3DES algorithms issues settled
ASAP.
My apologies for how long its taken to deal with these issues, and my
not documented more of the side conversations on the krbdev list ---
most of my time has been swallowed up by MIT Re-engineering Hell,
especially over the past two weeks, so I've been pretty swamped lately.
- Ted
