[16025] in Kerberos_V5_Development
krb5-1.8.3-beta1 is available
daemon@ATHENA.MIT.EDU (Tom Yu)
Sun Jul 25 15:22:26 2010
To: krbdev@mit.edu
From: Tom Yu <tlyu@mit.edu>
Date: Sun, 25 Jul 2010 15:22:17 -0400
Message-ID: <ldv7hkjbc46.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5-1.8.3-beta1 is now available for download from
http://web.mit.edu/kerberos/dist/testing.html
The main MIT Kerberos web page is
http://web.mit.edu/kerberos/
We welcome any additional comments on the GSS-API behavior change
described among the major changes below. This release is the code
freeze for the krb5-1.8.3 release, which will probably have a final
release early next week. Please send comments to the krbdev list.
The README file contains a more extensive list of changes.
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which now defaults to "false"
beginning with krb5-1.8. The krb5-1.8 release includes additional
measures to ease the transition away from single-DES. These
additional measures include:
* enctype config enhancements (so you can do "DEFAULT +des", etc.)
* new API to allow applications (e.g. AFS) to explicitly reenable weak
crypto
* easier kadmin history key changes
Major changes in 1.8.3
- ----------------------
* Behavior Change:
GSS-API context expiration -- the gss_wrap and gss_unwrap
functions no longer check for ticket expiration. Applications
wishing to enforce ticket lifetimes should check using the
gss_inquire_context function. The previous behavior of checking
for ticket expiration produced results that were not expected by
application developers, and could lead to poor user experience.
* Fix an interoperability issue when the Microsoft HMAC-MD5 checksum
type was used with non-RC4 keys.
* Fix an interoperability issue with ephemeral Diffie-Hellman key
exchange in PKINIT that would happen for less than 1% of
transactions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
iEYEARECAAYFAkxMju0ACgkQSO8fWy4vZo7KkQCfVOKL/BjaxXcG1IqJVbKVyLmO
+wYAniVNWi/zkA9MhdjqxJ9INvKBJl26
=yKFR
-----END PGP SIGNATURE-----
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
