Rodney M Dyer wrote: > At 09:57 AM 8/30/2006, Jeffrey Altman wrote: >> At the moment the requirement is that the service key and the session >> key be limited to one of the single DES types. DES-CBC-CRC, >> DES-CBC-MD5, DES-CBC-MD4. >> >> In some future we will support stronger encryption types. > > Exactly what does this "future" depend on: > > * Simple developer time to implement? > * Encryption algorithm licensing? > * Encryption algorithm development? > * Does the AFS codebase have a modular encryption scheme where a new > algorithm can simply be "plugged in"? > * Can you just simply use the prototype encryption algorithms from their > respective RFCs? > * If you started today on a full time basis, how long do you think it > would it take to add AES for example? > * Would this also include the implementation time for "fs crypt"? > > Rodney
It requires lots of developer time. Marcus Watts and Matt Benjamin have been working on a replacement for the rxkad security class called rxk5. This is a Kerberos 5 based security class that will support the full range of enctypes supported by Kerberos 5 and the KCRYPTO family of RFCs. They have been working on it for more than a year. rxk5 does not do everything that we wanted rxgk to do but they are much further along in the development process than rxgk is at the moment and rxk5 provides 90% of what is desired. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
