kfw-3.2-beta2 is available - Kerberos

This is a discussion on kfw-3.2-beta2 is available - Kerberos ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to announce the second beta release of MIT's Kerberos for Windows product, Version 3.2. Please send bug reports and feedback to kfw-bugs@mit.edu . ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: kfw-3.2-beta2 is available

  1. kfw-3.2-beta2 is available

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1


    The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to
    announce the second beta release of MIT's Kerberos for Windows product,
    Version 3.2.

    Please send bug reports and feedback to kfw-bugs@mit.edu.

    What's New in KFW 3.2:
    ======================

    * Network Identity Manager Application
    o A simplified basic mode has been added to the "obtain new
    credentials dialog". The basic mode replaces the credential
    browser with a button that can be used to access the advanced
    configuration functions. This advanced mode provides the
    credential browser and a tabbed view of the configuration
    dialogs for each of the available credential providers.
    o A simplified default application view that shows only the
    status of the active identities.
    o A new command-line option to netidmgr.exe is available to
    shutdown a running instance of Network Identity Manager.
    Specify "-x" or "--exit" to force the existing instance to
    terminate.
    o The use of ellipsis on menu items now follows the Windows
    Style Guide. Ellipsis is only used when additional information
    is required from the user before carrying out the designated
    action. If displaying a dialog is the action, no ellipsis
    is used.
    o Improved handling of window focus when opening and closing
    modal dialogs.
    o Reduce the number of alerts presented to the user by combining
    duplicates into a single alert.
    o Do not generate alerts if there is nothing that the user
    can do to correct the situation. Alerts that are displayed
    provide actions the user can take if desired.
    o Renew and Destroy menus provide "All" and "Individual identity
    names" as choices.
    o The Renew and Destroy toolbar buttons provide dropdown menus
    permitting the action to be applied to either "All" or one
    specific identity.
    o The "default" action of left clicking the notification icon
    is now configurable. The default configuration is "open/close
    NIM window". The alternate is to open the new credentials
    dialog. This can be specified by the user on the General
    Options page.
    o The alerter window can now display multiple alerts simultaneously.
    o Ensure that the NIM window is displayed on an active desktop.
    If not, move it to the primary desktop and center it.
    o New Basic mode display that shows only the state of the
    identity and its expiration time. Use F7 or View->Advanced
    to switch to the previous display that is configurable by the
    user to show details about each credential.
    o New Color Scheme derived from current Windows Desktop Color
    Scheme.
    o Improved display updating algorithms reduce flicker
    o The proper icon sizes are now used in the information bubble
    and the status bar.
    o Task Bar buttons are created for visible windows and dialogs
    o Plug-in Help can now be added to the Help menu
    o Improved HtmlHelp user documentation with Indexing
    o Improved HtmlHelp developer documentation with Indexing
    o Improved PDF user documentation
    * Network Identity Manager Kerberos v5 Support
    o Do not show cached prompts to user if they have expired
    o Correct the possibility that a krb5_ccache handle might be
    freed twice.
    o Import settings from Kerberos Profile if there are no equivalent
    defaults specified in the registry. Support per-realm settings.
    o An identity that matches the MSLSA will not renew its credentials
    from the MSLSA if the user obtained the credentials from
    elsewhere.
    o When importing an identity from the MSLSA that has never been
    seen before, create an entry in the identity database.
    o Do not attempt to renew non-renewable identities
    o Permit an identity to be configured as the default identity
    even if it doesn't have any credentials.
    * Kerberos v5 Library Improvements
    o Based on MIT release 1.6+
    o On Vista MSLSA: krb5_ccache can be used to store tickets
    including TGTs for alternative principals to the LSA credential
    cache
    o On Vista a more efficient interface for enumerating the contents
    of the LSA credential cache is available.
    o Vista support is only built if the Vista SDK version of
    NTSecAPI.H is used.
    o On Vista, if a process is UAC limited, the MSLSA will report
    that no tickets are present in the cache rather than return
    tickets with invalid session keys.
    o get_os_ccname() uses GetEnvironmentVariable() instead of
    getenv() to read the KRB5CCNAME environment variable. This
    allows the correct default credential cache name to be returned
    by krb5_cc_default_name(). This works around a problem where a
    gssapi application would trigger an Obtain New Credentials prompt
    from NIM only to have it obtain the wrong credential cache.
    * Winsock Helper Library Improvements
    o DNS queries that terminate with a dot would not properly match
    the hostnames listed within the DNS response preventing a
    successful return. This resulted in "kinit -4" failing to find
    the KDCs.
    * Integrated Logon Improvements
    o Remove the reliance on the Windows Logon Event handler and
    replace it with a LogonScript that executes kfwlogon.dll via a
    call to rundll32.exe. This change permits the integrated logon
    functionality to work on all supported platforms: Windows 2000
    to Windows Vista.
    o Disable the use of integrated logon if the Network Provider is
    called as a result of a non-interactive logon. The non-interactive
    logon does not process the specified LogonScript. As a result,
    the intermediate credential cache file would not be processed
    nor cleaned up.
    o Obtained credentials are stored into an API credential cache
    whose name is API:
    o Add a debugging mode which when activated logs to the Windows
    Application Event Log.
    [HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider]
    DWORD "Debug"
    * Leash32 Library Changes
    o Modify the leash functions to use krb5_string_to_deltat() to
    parse ticket_lifetime and renew_lifetime from the profile.
    Previously the leash functions expected those fields to be
    integer representation of minutes without the use of any units.
    This change is for consistency with KFM and the rest of the krb5
    library.
    o Modify the private functions acquire_tkt_for_princ() and
    acquire_tkt_no_princ() that are called from gssapi32.dll so that
    they will work on Windows Vista and so that the MSLSA: principal
    is only imported if it matches the default identity and no
    credentials for that identity are present.
    o Remove all AFS functionality.


    Changes since Beta 1
    ====================

    (1) Updated HtmlHelp user documentation with basic indexing

    (2) Updated PDF user documentation

    (3) Fix the Kerberos v4 configuration panel in the Obtain New
    Credentials dialog so that it works even if the global use
    Kerberos v4 flag says not to.

    (4) Initialize the default identity from existing credentials if
    there has never been a default identity specified before

    (5) Renew identities that are imported from MSLSA by importing if
    and only if the user did not manually obtain credentials for the
    same identity later on.

    (6) When renewing an identity that was imported from the MSLSA, if
    the credentials are expired (or otherwise not useful) initialize
    the MSLSA ccache and try again.

    (7) Improvements in hot spot handling

    (8) Improvements in Advanced view column sort order handling

    (9) Add a Taskbar button to the main window and the obtain new
    credentials and change password dialogs

    (10) Add a vertical scrollbar to the realm list in the Obtain New
    Credentials and Change Password dialogs

    (11) File Version information was missing from a number of the
    Kerberos utility commands.

    (12) The NIM About dialog could not be closed via Alt-F4

    (13) The Integrated Logon Event Log name was changed to "MIT Kerberos".
    Logging of failure to find the "Debug" registry value was removed.
    Use case-insensitive tests for the Windows Station to ensure that
    the "interactive" state can be properly determined on Vista.
    Clean up orphaned cache files (older than five minutes.) Properly
    find the kfwcpcc.exe executable.

    (14) Significantly improved Network Identity Manager Developer
    documentation.


    Supported Versions of Microsoft Windows
    =======================================

    This release requires 32-bit editions of Microsoft Windows 2000 and
    higher or the WOW64 environment of 64-bit editions of Microsoft
    Windows XP and higher.


    Microsoft Vista User Account Control (UAC)
    ==========================================

    Microsoft Vista UAC mode prevents accounts that are members of the
    local Administrators group from accessing Kerberos session keys from
    the LSA credentials cache. The MIT Kerberos MSLSA krb5_ccache type
    will not report the existence of Kerberos tickets which do not have
    valid session keys.

    Users are encouraged to login to Microsoft Vista with accounts
    that are not members of the local machine Administrators group in
    order to obtain the best single sign-on experience with MIT Kerberos
    for Windows and Network Identity Manager.


    Downloads
    =========

    Binaries and source code can be downloaded from the MIT Kerberos web site:
    http://web.mit.edu/kerberos/dist/index.html


    Acknowledgments
    ===============

    Thanks to Stanford University for funding Secure Endpoints Inc.'s
    implementation of many of the Network Identity Manager user experience
    improvements including the user configurable default action, the
    revised "Obtain New Credentials" dialog, the new default application
    view, and the improved alert management.

    Secure Endpoints Inc. wishes to acknowledge the work of Asanka Herath
    on Network Identity Manager (NIM). NIM would not be the same without
    him. For information on Secure Endpoints Inc.'s future plans for NIM
    please see

    http://www.secure-endpoints.com/netidmgr/roadmap.html

    A special thanks to Kevin Koch, the newest member of the MIT Kerberos
    team, for his work on the automated build scripts used to produce this
    release.


    Important notice regarding Kerberos 4 support
    =============================================

    In the past few years, several developments have shown the inadequacy
    of the security of version 4 of the Kerberos protocol. These
    developments have led the MIT Kerberos Team to begin the process of
    ending support for version 4 of the Kerberos protocol. The plan
    involves the eventual removal of Kerberos 4 support from the MIT
    implementation of Kerberos.

    The Data Encryption Standard (DES) has reached the end of its useful
    life. DES is the only encryption algorithm supported by Kerberos 4,
    and the increasingly obvious inadequacy of DES motivates the
    retirement of the Kerberos 4 protocol. The National Institute of
    Standards and Technology (NIST), which had previously certified DES as
    a US government encryption standard, has officially announced[1] the
    withdrawal of the Federal Information Processing Standards (FIPS) for
    DES.

    NIST's action reflects the long-held opinion of the cryptographic
    community that DES has too small a key space to be secure. Breaking
    DES encryption by an exhaustive search of its key space is within the
    means of some individuals, many companies, and all major governments.
    Consequently, DES cannot be considered secure for any long-term keys,
    particularly the ticket-granting key that is central to Kerberos.

    Serious protocol flaws[2] have been found in Kerberos 4. These flaws
    permit attacks which require far less effort than an exhaustive search
    of the DES key space. These flaws make Kerberos 4 cross-realm
    authentication an unacceptable security risk and raise serious
    questions about the security of the entire Kerberos 4 protocol.

    The known insecurity of DES, combined with the recently discovered
    protocol flaws, make it extremely inadvisable to rely on the security
    of version 4 of the Kerberos protocol. These factors motivate the MIT
    Kerberos Team to remove support for Kerberos version 4 from the MIT
    implementation of Kerberos.

    The process of ending Kerberos 4 support began with release 1.3 of MIT
    Kerberos 5. In release 1.3, the default run-time configuration of the
    KDC disables support for version 4 of the Kerberos protocol. Release 1.4
    of MIT Kerberos continues to include Kerberos 4 support (also disabled
    in the KDC with the default run-time configuration), but we intend to
    completely remove Kerberos 4 support from some future release of MIT
    Kerberos.

    The MIT Kerberos Team has ended active development of Kerberos 4,
    except for the eventual removal of all Kerberos 4 functionality. We
    will continue to provide critical security fixes for Kerberos 4, but
    routine bug fixes and feature enhancements are at an end.

    We recommend that any sites which have not already done so begin a
    migration to Kerberos 5. Kerberos 5 provides significant advantages
    over Kerberos 4, including support for strong encryption,
    extensibility, improved cross-vendor interoperability, and ongoing
    development and enhancement.

    If you have questions or issues regarding migration to Kerberos 5, we
    recommend discussing them on the kerberos@mit.edu mailing list.

    References

    [1] National Institute of Standards and Technology. Announcing
    Approval of the Withdrawal of Federal Information Processing
    Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
    Guidelines for Implementing and Using the NBS Data Encryption
    Standard; and FIPS 81, DES Modes of Operation. Federal Register
    05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45

    [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
    Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
    the Network and Distributed Systems Security Symposium. The
    Internet Society, February 2004.
    http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (SunOS)

    iQCVAwUBRi5yuqbDgE/zdoE9AQKRpgQAgvgqHTU6U2rwB9HkT8hojsoHRZNzbZNz
    WKNCzlkVhS78gJbbGkyOOoKi9HklApfA1GH4PJrbsWyBVI3Zzs 4A5sbBgh3F0sKy
    clE2FEKTaMmv4SnOuZv0cY0hTrbfdmtUa1K6t+vUFC5zlyEpZV WmOgPU+mmKG5SI
    BYhL9oEMSKs=
    =AGpI
    -----END PGP SIGNATURE-----

    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu
    https://mailman.mit.edu/mailman/list...beros-announce
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. RE: kfw-3.2-beta2 is available

    Hi Tom:

    I get a page not found when trying to download kfw 3.2.msi or .exe

    http://web.mit.edu/kerberos/dist/testing.html#kfw-3.2

    I am, however, able to download the msi in going into the kfw 3.2 directory

    Thanks,
    Deb



    -----Original Message-----
    From: kerberos-announce-bounces@MIT.EDU
    [mailto:kerberos-announce-bounces@MIT.EDU] On Behalf Of Tom Yu
    Sent: Tuesday, April 24, 2007 5:12 PM
    To: kerberos-announce@mit.edu
    Subject: kfw-3.2-beta2 is available

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1


    The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to
    announce the second beta release of MIT's Kerberos for Windows product,
    Version 3.2.

    Please send bug reports and feedback to kfw-bugs@mit.edu.

    What's New in KFW 3.2:
    ======================

    * Network Identity Manager Application
    o A simplified basic mode has been added to the "obtain new
    credentials dialog". The basic mode replaces the credential
    browser with a button that can be used to access the advanced
    configuration functions. This advanced mode provides the
    credential browser and a tabbed view of the configuration
    dialogs for each of the available credential providers.
    o A simplified default application view that shows only the
    status of the active identities.
    o A new command-line option to netidmgr.exe is available to
    shutdown a running instance of Network Identity Manager.
    Specify "-x" or "--exit" to force the existing instance to
    terminate.
    o The use of ellipsis on menu items now follows the Windows
    Style Guide. Ellipsis is only used when additional information
    is required from the user before carrying out the designated
    action. If displaying a dialog is the action, no ellipsis
    is used.
    o Improved handling of window focus when opening and closing
    modal dialogs.
    o Reduce the number of alerts presented to the user by combining
    duplicates into a single alert.
    o Do not generate alerts if there is nothing that the user
    can do to correct the situation. Alerts that are displayed
    provide actions the user can take if desired.
    o Renew and Destroy menus provide "All" and "Individual identity
    names" as choices.
    o The Renew and Destroy toolbar buttons provide dropdown menus
    permitting the action to be applied to either "All" or one
    specific identity.
    o The "default" action of left clicking the notification icon
    is now configurable. The default configuration is "open/close
    NIM window". The alternate is to open the new credentials
    dialog. This can be specified by the user on the General
    Options page.
    o The alerter window can now display multiple alerts simultaneously.
    o Ensure that the NIM window is displayed on an active desktop.
    If not, move it to the primary desktop and center it.
    o New Basic mode display that shows only the state of the
    identity and its expiration time. Use F7 or View->Advanced
    to switch to the previous display that is configurable by the
    user to show details about each credential.
    o New Color Scheme derived from current Windows Desktop Color
    Scheme.
    o Improved display updating algorithms reduce flicker
    o The proper icon sizes are now used in the information bubble
    and the status bar.
    o Task Bar buttons are created for visible windows and dialogs
    o Plug-in Help can now be added to the Help menu
    o Improved HtmlHelp user documentation with Indexing
    o Improved HtmlHelp developer documentation with Indexing
    o Improved PDF user documentation
    * Network Identity Manager Kerberos v5 Support
    o Do not show cached prompts to user if they have expired
    o Correct the possibility that a krb5_ccache handle might be
    freed twice.
    o Import settings from Kerberos Profile if there are no equivalent
    defaults specified in the registry. Support per-realm settings.
    o An identity that matches the MSLSA will not renew its credentials
    from the MSLSA if the user obtained the credentials from
    elsewhere.
    o When importing an identity from the MSLSA that has never been
    seen before, create an entry in the identity database.
    o Do not attempt to renew non-renewable identities
    o Permit an identity to be configured as the default identity
    even if it doesn't have any credentials.
    * Kerberos v5 Library Improvements
    o Based on MIT release 1.6+
    o On Vista MSLSA: krb5_ccache can be used to store tickets
    including TGTs for alternative principals to the LSA credential
    cache
    o On Vista a more efficient interface for enumerating the contents
    of the LSA credential cache is available.
    o Vista support is only built if the Vista SDK version of
    NTSecAPI.H is used.
    o On Vista, if a process is UAC limited, the MSLSA will report
    that no tickets are present in the cache rather than return
    tickets with invalid session keys.
    o get_os_ccname() uses GetEnvironmentVariable() instead of
    getenv() to read the KRB5CCNAME environment variable. This
    allows the correct default credential cache name to be returned
    by krb5_cc_default_name(). This works around a problem where a
    gssapi application would trigger an Obtain New Credentials prompt
    from NIM only to have it obtain the wrong credential cache.
    * Winsock Helper Library Improvements
    o DNS queries that terminate with a dot would not properly match
    the hostnames listed within the DNS response preventing a
    successful return. This resulted in "kinit -4" failing to find
    the KDCs.
    * Integrated Logon Improvements
    o Remove the reliance on the Windows Logon Event handler and
    replace it with a LogonScript that executes kfwlogon.dll via a
    call to rundll32.exe. This change permits the integrated logon
    functionality to work on all supported platforms: Windows 2000
    to Windows Vista.
    o Disable the use of integrated logon if the Network Provider is
    called as a result of a non-interactive logon. The non-interactive
    logon does not process the specified LogonScript. As a result,
    the intermediate credential cache file would not be processed
    nor cleaned up.
    o Obtained credentials are stored into an API credential cache
    whose name is API:
    o Add a debugging mode which when activated logs to the Windows
    Application Event Log.
    [HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider]

    DWORD "Debug"
    * Leash32 Library Changes
    o Modify the leash functions to use krb5_string_to_deltat() to
    parse ticket_lifetime and renew_lifetime from the profile.
    Previously the leash functions expected those fields to be
    integer representation of minutes without the use of any units.
    This change is for consistency with KFM and the rest of the krb5
    library.
    o Modify the private functions acquire_tkt_for_princ() and
    acquire_tkt_no_princ() that are called from gssapi32.dll so that
    they will work on Windows Vista and so that the MSLSA: principal
    is only imported if it matches the default identity and no
    credentials for that identity are present.
    o Remove all AFS functionality.


    Changes since Beta 1
    ====================

    (1) Updated HtmlHelp user documentation with basic indexing

    (2) Updated PDF user documentation

    (3) Fix the Kerberos v4 configuration panel in the Obtain New
    Credentials dialog so that it works even if the global use
    Kerberos v4 flag says not to.

    (4) Initialize the default identity from existing credentials if
    there has never been a default identity specified before

    (5) Renew identities that are imported from MSLSA by importing if
    and only if the user did not manually obtain credentials for the
    same identity later on.

    (6) When renewing an identity that was imported from the MSLSA, if
    the credentials are expired (or otherwise not useful) initialize
    the MSLSA ccache and try again.

    (7) Improvements in hot spot handling

    (8) Improvements in Advanced view column sort order handling

    (9) Add a Taskbar button to the main window and the obtain new
    credentials and change password dialogs

    (10) Add a vertical scrollbar to the realm list in the Obtain New
    Credentials and Change Password dialogs

    (11) File Version information was missing from a number of the
    Kerberos utility commands.

    (12) The NIM About dialog could not be closed via Alt-F4

    (13) The Integrated Logon Event Log name was changed to "MIT Kerberos".
    Logging of failure to find the "Debug" registry value was removed.
    Use case-insensitive tests for the Windows Station to ensure that
    the "interactive" state can be properly determined on Vista.
    Clean up orphaned cache files (older than five minutes.) Properly
    find the kfwcpcc.exe executable.

    (14) Significantly improved Network Identity Manager Developer
    documentation.


    Supported Versions of Microsoft Windows
    =======================================

    This release requires 32-bit editions of Microsoft Windows 2000 and
    higher or the WOW64 environment of 64-bit editions of Microsoft
    Windows XP and higher.


    Microsoft Vista User Account Control (UAC)
    ==========================================

    Microsoft Vista UAC mode prevents accounts that are members of the
    local Administrators group from accessing Kerberos session keys from
    the LSA credentials cache. The MIT Kerberos MSLSA krb5_ccache type
    will not report the existence of Kerberos tickets which do not have
    valid session keys.

    Users are encouraged to login to Microsoft Vista with accounts
    that are not members of the local machine Administrators group in
    order to obtain the best single sign-on experience with MIT Kerberos
    for Windows and Network Identity Manager.


    Downloads
    =========

    Binaries and source code can be downloaded from the MIT Kerberos web site:
    http://web.mit.edu/kerberos/dist/index.html


    Acknowledgments
    ===============

    Thanks to Stanford University for funding Secure Endpoints Inc.'s
    implementation of many of the Network Identity Manager user experience
    improvements including the user configurable default action, the
    revised "Obtain New Credentials" dialog, the new default application
    view, and the improved alert management.

    Secure Endpoints Inc. wishes to acknowledge the work of Asanka Herath
    on Network Identity Manager (NIM). NIM would not be the same without
    him. For information on Secure Endpoints Inc.'s future plans for NIM
    please see

    http://www.secure-endpoints.com/netidmgr/roadmap.html

    A special thanks to Kevin Koch, the newest member of the MIT Kerberos
    team, for his work on the automated build scripts used to produce this
    release.


    Important notice regarding Kerberos 4 support
    =============================================

    In the past few years, several developments have shown the inadequacy
    of the security of version 4 of the Kerberos protocol. These
    developments have led the MIT Kerberos Team to begin the process of
    ending support for version 4 of the Kerberos protocol. The plan
    involves the eventual removal of Kerberos 4 support from the MIT
    implementation of Kerberos.

    The Data Encryption Standard (DES) has reached the end of its useful
    life. DES is the only encryption algorithm supported by Kerberos 4,
    and the increasingly obvious inadequacy of DES motivates the
    retirement of the Kerberos 4 protocol. The National Institute of
    Standards and Technology (NIST), which had previously certified DES as
    a US government encryption standard, has officially announced[1] the
    withdrawal of the Federal Information Processing Standards (FIPS) for
    DES.

    NIST's action reflects the long-held opinion of the cryptographic
    community that DES has too small a key space to be secure. Breaking
    DES encryption by an exhaustive search of its key space is within the
    means of some individuals, many companies, and all major governments.
    Consequently, DES cannot be considered secure for any long-term keys,
    particularly the ticket-granting key that is central to Kerberos.

    Serious protocol flaws[2] have been found in Kerberos 4. These flaws
    permit attacks which require far less effort than an exhaustive search
    of the DES key space. These flaws make Kerberos 4 cross-realm
    authentication an unacceptable security risk and raise serious
    questions about the security of the entire Kerberos 4 protocol.

    The known insecurity of DES, combined with the recently discovered
    protocol flaws, make it extremely inadvisable to rely on the security
    of version 4 of the Kerberos protocol. These factors motivate the MIT
    Kerberos Team to remove support for Kerberos version 4 from the MIT
    implementation of Kerberos.

    The process of ending Kerberos 4 support began with release 1.3 of MIT
    Kerberos 5. In release 1.3, the default run-time configuration of the
    KDC disables support for version 4 of the Kerberos protocol. Release 1.4
    of MIT Kerberos continues to include Kerberos 4 support (also disabled
    in the KDC with the default run-time configuration), but we intend to
    completely remove Kerberos 4 support from some future release of MIT
    Kerberos.

    The MIT Kerberos Team has ended active development of Kerberos 4,
    except for the eventual removal of all Kerberos 4 functionality. We
    will continue to provide critical security fixes for Kerberos 4, but
    routine bug fixes and feature enhancements are at an end.

    We recommend that any sites which have not already done so begin a
    migration to Kerberos 5. Kerberos 5 provides significant advantages
    over Kerberos 4, including support for strong encryption,
    extensibility, improved cross-vendor interoperability, and ongoing
    development and enhancement.

    If you have questions or issues regarding migration to Kerberos 5, we
    recommend discussing them on the kerberos@mit.edu mailing list.

    References

    [1] National Institute of Standards and Technology. Announcing
    Approval of the Withdrawal of Federal Information Processing
    Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74,
    Guidelines for Implementing and Using the NBS Data Encryption
    Standard; and FIPS 81, DES Modes of Operation. Federal Register
    05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45

    [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of
    Unauthenticated Encryption: Kerberos Version 4. In Proceedings of
    the Network and Distributed Systems Security Symposium. The
    Internet Society, February 2004.
    http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (SunOS)

    iQCVAwUBRi5yuqbDgE/zdoE9AQKRpgQAgvgqHTU6U2rwB9HkT8hojsoHRZNzbZNz
    WKNCzlkVhS78gJbbGkyOOoKi9HklApfA1GH4PJrbsWyBVI3Zzs 4A5sbBgh3F0sKy
    clE2FEKTaMmv4SnOuZv0cY0hTrbfdmtUa1K6t+vUFC5zlyEpZV WmOgPU+mmKG5SI
    BYhL9oEMSKs=
    =AGpI
    -----END PGP SIGNATURE-----

    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu
    https://mailman.mit.edu/mailman/list...beros-announce

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: kfw-3.2-beta2 is available

    >>>>> "Deb" == Deb Bowser writes:

    Deb> I get a page not found when trying to download kfw 3.2.msi or .exe

    Deb> http://web.mit.edu/kerberos/dist/testing.html#kfw-3.2

    Deb> I am, however, able to download the msi in going into the kfw 3.2 directory

    The links were slightly wrong. They should work now. Thanks!

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread