On 5/9/2015 12:57 AM, John Denker wrote:
On 05/05/2015 01:21 AM, Matt Caswell wrote:
I am considering removing Kerberos support from OpenSSL 1.1.0. There are
a number of problems with the functionality as it stands, and it seems
to me to be a very rarely used feature.
I don't understand what it means to say the
feature "seems" rarely used. Is there any
actual evidence about the number and/or
importance of uses?
I'm interested in hearing any
opinions on this (either for or against).
Opinions are not a good substitute for actual
evidence.
This thread has revealed that some people on
this list would prefer something else, but
that leaves unanswered (and almost unasked)
the question of whether Kerberos is actually
being used.
Personally I don't use it, but that does not
come close to answering the question. A few
moments of googling suggest that some people
are using Kerberos in conjunction with openssl.
For example:
http://linuxsoft.cern.ch/cern/slc61/i386/yum/updates/repoview/krb5-pkinit-openssl.html
That refers to the use of the OpenSSL crypto libraries to provide PKI functions
needed
to support the PKINIT protocols. PKINIT uses PKI for a pre-authentication data
element
as part of the Kerberos AS-REQ. PKINIT is used by Windows Active Directory and
unix versions
of Kerberos for smart card login to the AD or KDC.
https://tools.ietf.org/html/rfc4556
It has nothing to do with the SSL/TLS protocols using Kerberos.
I too have never used the Kerberos with the SSL protocol. Time marches on,
DES is deprecated and not used in Kerberos, SSL is being replaced by TLS,
and these change have not been reflected in the standards used for the OpenSSL
Kerberos code.
I have worked with Jeff ALtman and Nico Williams in IETF working groups and
they are the experts in
the use of GSS and Kerberos.
I plan to start preparing the patches to remove it next week.
Why do we think that's worth the trouble?
What evidence is there that removal won't
cause problems? It's hard to prove a negative,
and the recent discussions on this list don't
even come close.
I don't care about Kerberos directly, but it
seems like a poor use of resources to worry
about Kerberos while more pressing issues are
left unaddressed.
Misuse of the older Kerberos code in OpenSSL with SSL is not as secure as one
might think.
Removing the code might be the best thing that could happen.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
.
--
Douglas E. Engert <deeng...@gmail.com>
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
