[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security impact of removing timestamp check in rd_rep()
>>>>> "Andrew" == Andrew Bartlett <email@example.com> writes:
Andrew> I've been thinking about this, and would like a reality
Andrew> If krb5 had included this originally (assume it was
Andrew> mandatory), this would have eliminated the need for the
Andrew> reply cache, right?
Yep, and a lot of us wish krb5 had included this from the beginning.
Note that there are a lot of protocols for which this would be
inappropriate. For example multimedia keying really seems to want to
do things in one round trip. However when available it would be nice
to get rid of the replay cache.