RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Xuelei Fan xuelei.fan at oracle.com
Wed Oct 22 10:56:38 UTC 2014

Thanks for the valuable input, Henry and Nico!

JSSE had supported RFC2712 for a few years. We are trying to move the
implementation of RFC2712 into the Krb5 module of JDK.

The input is valuable to me to follow the trend of TLS/Kerberos.  Is
there a draft proposal for the new use of Kerberos in TLS?  I think we
can benefits from the new ideas while doing the moving.

Thanks & Regards,

On 10/22/2014 5:09 AM, Nico Williams wrote:
> [Adding Roland and Viktor to the cc list.  I'm not quoting anything,
> but it's roughly this: there's interest in implementing RFC2712, which
> is Kerberos in TLS.  Hank is inviting me to state my opinion; see
> below.]
> RFC2712 is to be burned.  Please do not implement.  We should either
> add a different extension to TLS to use Kerberos (or GSS), or simply
> not try this.
> There are at least two major problems with RFC2712:
>  - ciphersuite impedance mistmatches:
>    The way this should have worked is that the Kerberos [sub-]session
> key should have been used to key any TLS PSK ciphersuite.  But instead
> we have a TLS ciphersuite per-Kerberos enctype, and... that list
> hasn't kept up with the times, so there's no AES ones.  Oops.
>  - RFC2712 does NOT use the AP-REQ PDU.  It violates the interfaces
> provided by RFC1510 (later RFC4120).  This is bad in many ways, and
> you'll notice if you try to implement it.
> As for JGSS and Java Kerberos, there are many other bugs/RFEs I'd
> rather see fixed/implemented there before anything like RFC2712.
> Nico
> --

More information about the security-dev mailing list