From owner-freebsd-current@FreeBSD.ORG  Mon May  5 12:50:09 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8B6F537B401; Mon,  5 May 2003 12:50:09 -0700 (PDT)
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2D3AE43FB1; Mon,  5 May 2003 12:50:08 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1])
	by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id h45Jo6Vo026252
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Mon, 5 May 2003 15:50:06 -0400 (EDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id h45Jo5Pu026249;
	Mon, 5 May 2003 15:50:05 -0400 (EDT)
	(envelope-from wollman)
Date: Mon, 5 May 2003 15:50:05 -0400 (EDT)
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <200305051950.h45Jo5Pu026249@khavrinen.lcs.mit.edu>
To: Doug Barton <DougB@freebsd.org>
In-Reply-To: <20030505052615.R2996@znfgre.qbhto.arg>
References: <200305050845.h458j38c069038@grimreaper.grondar.org>
	<20030505121050.GC21530@madman.celabo.org>
	<20030505052615.R2996@znfgre.qbhto.arg>
X-Spam-Score: -18.7 ()
	IN_REP_TO,MANY_EXCLAMATIONS,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES
X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang)
cc: current@freebsd.org
Subject: Re: HEADS UP! Kerberos5/Heimdal now default!
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2003 19:50:09 -0000

<<On Mon, 5 May 2003 05:37:37 -0700 (PDT), Doug Barton <DougB@freebsd.org> said:

> I'm going to assume that as security officer you're aware of the extremely
> colorful history of kerberos's many vulnerabilities. :)

What ``extremely colorful history of ... vulnerabilities''?  I can
think of no more than five times I've had to rebuild my KDC in six
years.

> Also, I'm not impressed with the, "But this is kerb 5, not kerb 4"
> argument, since up till recently the limited deployed base of kerb 5 has
> not made it a very attractive target for hackers.

Kerberos 5 is in every single Windows (>= 2000) installation in the
world.  It has a larger installed base than any release of FreeBSD.
If there are any fundamental protocol vulnerabilities, they would be
known by now.

-GAWollman