[1597] in Kerberos_V5_Development
Re: kadmin and md5
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Fri Aug 16 11:27:14 1996
Date: Fri, 16 Aug 1996 11:26:46 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: hartmans@MIT.EDU
Cc: krbcore@MIT.EDU
In-Reply-To: <199608160022.UAA20181@tertius.mit.edu> (message from Sam Hartman
on Thu, 15 Aug 1996 20:22:06 -0400)
My understanding that the reason for all the complexity with MD5 was
simply to save space in the database---since dec-cbc-crc and
des-cbc-md5 use the same key type, there is no reason actually to
store two copies of the key in the database, so instead we store one
and set this magic bit to say "pretend there is an md5 enctype in the
database too."
IMHO, this is silly. The additional complexity, both in the code and
in confusion of users (BTW, when I say "users" I always mean to
include sysadmins running Kerberos), is not worth the space savings.
Disk space is even cheaper than memory. Further, we'll just need
another magic bit when we change from 3des-cbc-sha to
3des-cbc-something-else, and then the administrative overhead becomes
a nightmare. (It would be less nightmarish if all kdc attributes were
moved from principal entries to policies, a change that I think should
happen after 1.0, but that's another story.)
Ergo, I'd suggest removing the special MD5 code and just having all
enctypes represented directly in the database, even if they have the
same actual key contents.
Barry
