[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authenticate to ldap using Kerberos
Dan White <dwhite@olp.net> writes:
> If it didn't support TLS, I'd think that'd be a much more urgent focus
> (GSSAPI only provides 56 bits of encryption).
Incidentally, where are you getting this? If you use Kerberos with GSSAPI
and AES keys, you get 128-bit encryption so far as I can see. RFC 4121
defers to the Kerberos crypto specification for the encryption, and RFC
3962 definitely doesn't artificially limit the encryption strength of AES
to 56 bits.
SASL reports a security factor of 56, but I believe that's just because
there's no good way at present of getting the actual security factor
bubbled up to the SASL layer so that it can report it properly to the
application. I don't believe that's an accurate reflection of the on-wire
encryption.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>