Code review request: 8001326: Improve Kerberos replay caching

Weijun Wang at
Wed Jun 5 18:32:29 PDT 2013

On 5/31/13 9:16 AM, Valerie (Yu-Ching) Peng wrote:
> One question:
> In, you mentioned that the old style block is always
> created even if a new style is available.
> When both are present, Is it always new style before old one? The impl
> in seems to assume this.

Yes. This is also what MIT krb5 does. I can add a comment on it.


> Thanks,
> Valerie
> On 05/28/13 01:45, Weijun Wang wrote:
>> Please review the code changes at
>> Two new system properties are introduced. to
>> control what rcache type should be used. Besides the original one
>> (which does not need this system property to be set), we support dfl
>> and none now. Also, can be set to
>> true to let acceptor generate a sub-key, so that even if a replayed
>> authenticator is not detected, a replayed message won't work.
>> Thanks
>> Max

More information about the security-dev mailing list