[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security impact of removing timestamp check in rd_rep()

>>>>> "Andrew" == Andrew Bartlett <abartlet@samba.org> writes:

    Andrew> I've been thinking about this, and would like a reality
    Andrew> check:

    Andrew> If krb5 had included this originally (assume it was
    Andrew> mandatory), this would have eliminated the need for the
    Andrew> reply cache, right?

Yep, and a lot of us wish krb5 had included this from the beginning.


Note that there are a lot of protocols for which this would be
inappropriate.  For example multimedia keying really seems to want to
do things in one round trip.  However when available it would be nice
to get rid of the replay cache.