Security impact of removing timestamp check in rd_rep()

Sam Hartman hartmans at mit.edu
Mon May 16 15:31:24 GMT 2005


>>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:

    Andrew> I've been thinking about this, and would like a reality
    Andrew> check:

    Andrew> If krb5 had included this originally (assume it was
    Andrew> mandatory), this would have eliminated the need for the
    Andrew> reply cache, right?

Yep, and a lot of us wish krb5 had included this from the beginning.


Note that there are a lot of protocols for which this would be
inappropriate.  For example multimedia keying really seems to want to
do things in one round trip.  However when available it would be nice
to get rid of the replay cache.



More information about the samba-technical mailing list