9 Sep
2010
9 Sep
'10
9:37 p.m.
Dan White dwhite@olp.net writes:
If it didn't support TLS, I'd think that'd be a much more urgent focus (GSSAPI only provides 56 bits of encryption).
Incidentally, where are you getting this? If you use Kerberos with GSSAPI and AES keys, you get 128-bit encryption so far as I can see. RFC 4121 defers to the Kerberos crypto specification for the encryption, and RFC 3962 definitely doesn't artificially limit the encryption strength of AES to 56 bits.
SASL reports a security factor of 56, but I believe that's just because there's no good way at present of getting the actual security factor bubbled up to the SASL layer so that it can report it properly to the application. I don't believe that's an accurate reflection of the on-wire encryption.
--
Russ Allbery (rra@stanford.edu) http://www.eyrie.org/~eagle/