RFR 8038089: TLS optional support for Kerberos cipher suites needs to be re-examine

Nico Williams nico at cryptonector.com
Tue Oct 21 21:09:59 UTC 2014

[Adding Roland and Viktor to the cc list.  I'm not quoting anything,
but it's roughly this: there's interest in implementing RFC2712, which
is Kerberos in TLS.  Hank is inviting me to state my opinion; see

RFC2712 is to be burned.  Please do not implement.  We should either
add a different extension to TLS to use Kerberos (or GSS), or simply
not try this.

There are at least two major problems with RFC2712:

 - ciphersuite impedance mistmatches:

   The way this should have worked is that the Kerberos [sub-]session
key should have been used to key any TLS PSK ciphersuite.  But instead
we have a TLS ciphersuite per-Kerberos enctype, and... that list
hasn't kept up with the times, so there's no AES ones.  Oops.

 - RFC2712 does NOT use the AP-REQ PDU.  It violates the interfaces
provided by RFC1510 (later RFC4120).  This is bad in many ways, and
you'll notice if you try to implement it.

As for JGSS and Java Kerberos, there are many other bugs/RFEs I'd
rather see fixed/implemented there before anything like RFC2712.


More information about the security-dev mailing list