Security impact of removing timestamp check in rd_rep()
Sam Hartman
hartmans at mit.edu
Mon May 16 15:31:24 GMT 2005
>>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
Andrew> I've been thinking about this, and would like a reality
Andrew> check:
Andrew> If krb5 had included this originally (assume it was
Andrew> mandatory), this would have eliminated the need for the
Andrew> reply cache, right?
Yep, and a lot of us wish krb5 had included this from the beginning.
Note that there are a lot of protocols for which this would be
inappropriate. For example multimedia keying really seems to want to
do things in one round trip. However when available it would be nice
to get rid of the replay cache.
More information about the samba-technical
mailing list