Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id C90DE3E633; Wed, 30 Jan 2013 14:51:22 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r0UJpMvg009477; Wed, 30 Jan 2013 14:51:22 -0500 Received: from mailhub-auth-1.mit.edu (MAILHUB-AUTH-1.MIT.EDU [18.9.21.35]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r0UJeStL007389 for ; Wed, 30 Jan 2013 14:40:28 -0500 Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id r0UJeRuJ025922; Wed, 30 Jan 2013 14:40:27 -0500 Received: from WEST-NINETYTWO-FOUR-EIGHTY-FIVE.MIT.EDU (WEST-NINETYTWO-FOUR-EIGHTY-FIVE.MIT.EDU [18.18.14.222]) (authenticated bits=0) (User authenticated as tsitkova@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id r0UJeQIS027650 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 30 Jan 2013 14:40:27 -0500 (EST) Message-ID: <06431A53-AA78-4709-84A3-8B8FA74B666B@mit.edu> From: Zhanna Tsitkov To: krb5-bugs@MIT.EDU Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit MIME-Version: 1.0 (Apple Message framework v928.1) Subject: Documentation__Encryption types Date: Wed, 30 Jan 2013 14:40:26 -0500 X-Mailer: Apple Mail (2.928.1) X-Mailman-Approved-At: Wed, 30 Jan 2013 14:51:19 -0500 CC: Zhanna Tsitkov X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: us-ascii Content-Length: 1110 The following are a few suggestions for this document in the order how they appear in the text: 1. Consider moving the description of the key types into separate section (Perhaps, under "Kerberos V5 concepts") so it could be referenced from the other docs such as "Retiring DES", and further developed if desired; 2. In "Session key selection" mention that the error (and what error) will be issued if the intersection is empty; 3. In "Configuration variables" try to use x-reference to the attributes in krb5.conf instead of rewording their description here. (See how it is done in http://web.mit.edu/kerberos/krb5-current/doc/admin/lockout.html#configuring-account-lockout) 4. In "Enctype compatibility" mention that Camellia was disabled by default in the releases 1.9-1.10; 5. Add a paragraph about the performance vs security trade-offs and recommendations when setting permitted_enctypes and friends; 6. Mention this article in krb5.conf (Perhaps, in its SeeAlso section) 7. Instead of "krb5-1.11" use "release 1.11" as a commonly used reference across MIT KC documentation.