On Fri, May 08, 2015 at 10:57:10PM -0700, John Denker wrote: > > I don't understand what it means to say the feature "seems" rarely used. > Is there any actual evidence about the number and/or importance of uses?
We don't need to ask the original question. The current Kerberos support in OpenSSL SHOULD NOT be used, and support SHOULD be removed, even if there are current users. They can stay with whatever version of OpenSSL provides the feature at present, we won't confiscate the code from them. > For example: > > > http://linuxsoft.cern.ch/cern/slc61/i386/yum/updates/repoview/krb5-pkinit-openssl.html This is not in fact a use of the Kerberos cipher-suites in TLS. Rather it is a use of Kerberos in which user passwords are replaced with PKI smartcards or similar. It uses OpenSSL's libcrypto for the PKI bits, but has nothing to do with TLS. > > I plan to start preparing the patches to remove it next week. > > Why do we think that's worth the trouble? This is unmaintained and largely unused code, whose functionality is obsolete. > > I don't care about Kerberos directly, but it seems like a poor use of > resources to worry about Kerberos while more pressing issues are left > unaddressed. Sorry, removing the code removes the cost of continuing to support that code (even poorly), and removes any latent security issues in that code. Since this code is conditionally compiled, removing it is rather easy. Just drop all the "#ifdef ... #endif" code blocks that support the obsolete Kerberos ciphersuites. -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
