[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confusion over MIT/Heimdal compatibility

To: timtas@cubic.ch, Howard Chu <hyc@symas.com>
Subject: Re: Confusion over MIT/Heimdal compatibility
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Mon, 21 Apr 2008 07:41:38 -0700
Cc: Simon Wilkinson <simon@sxw.org.uk>, Dominic Hargreaves <dominic.hargreaves@oucs.ox.ac.uk>, openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <480C9282.8020908@cubic.ch>
References: <20080415160213.GD5820@gunboat-diplomat.oucs.ox.ac.uk> <6B267F50FB838ED640A6ECFE@[192.168.1.198]> <301F3BFA-1AC9-4955-ADBE-F365F4ABF64D@sxw.org.uk> <480510D4.5000109@symas.com> <99794851-15F6-4DEE-A5C7-E4C4DDF7F33F@sxw.org.uk> <48051E9C.4090700@symas.com> <480C9282.8020908@cubic.ch>

--On Monday, April 21, 2008 3:11 PM +0200 Tim Tassonis <timtas@cubic.ch> wrote:

Sorry, but this is rubbish. By your logic, if one joins a conspirative
gathering using a secret password and then is told than in future there
is a new secret passphrase, he would then be required to leave the room
again an reenter it using the new passphrase. There is absolutely no
security value in this, just a small entertainment value perhaps.

Reestablishing expired encryption keys clearly has a security value, due
to brute force issues on current connection keys.

But if somebody has brute-forced your initial shared secret to establish
the connection an you have changed it in the meantime, he will not be
more able to establish a connection if you keep that old connection.

I think you just argued for the point Howard was making. We aren't talking about establishing a *new* connection with an old encryption key. We are talking about maintaining a connection once the encryption key has expired. Heimdal lets you do this. MIT does not.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Confusion over MIT/Heimdal compatibility
  - From: Dominic Hargreaves <dominic.hargreaves@oucs.ox.ac.uk>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Simon Wilkinson <simon@sxw.org.uk>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Howard Chu <hyc@symas.com>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Simon Wilkinson <simon@sxw.org.uk>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Howard Chu <hyc@symas.com>
- Re: Confusion over MIT/Heimdal compatibility
  - From: Tim Tassonis <timtas@cubic.ch>

Prev by Date: Re: Confusion over MIT/Heimdal compatibility
Next by Date: attribute size limit?
Index(es):
- Chronological
- Thread