From 6603c22686c96cee259b82657b7e5597f021f1d5 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Sat, 31 Jan 2009 04:00:10 +0000
Subject: README and patchlevel.h for 1.7 release branch

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21852 dc483132-0cff-0310-8789-dd5450dbe970
---
 README | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

(limited to 'README')

diff --git a/README b/README
index a945960f6f..5b1c82a9a2 100644
--- a/README
+++ b/README
@@ -59,12 +59,34 @@ http://krbdev.mit.edu/rt/
 
 and logging in as "guest" with password "guest".
 
+DES transition
+--------------
+
+The Data Encryption Standard (DES) is widely recognized as weak.  The
+krb5-1.7 release will contain measures to encourage sites to migrate
+away from using single-DES cryptosystems.  Among these is a
+configuration variable that enables "weak" enctypes, but will default
+to "false" in the future.  Depending on the outcome of ongoing
+discussion on krbdev@mit.edu, this default could change prior to the
+final release of krb5-1.7.
+
+Additional measures to ease the transition away from DES are planned
+for the final krb5-1.7 release.
+
 Major changes in 1.7
 --------------------
 
 * Remove support for version 4 of the Kerberos protocol (krb4).
 
-* Client library now follows client principal referrals.
+* New libdefaults configuration variable "allow_weak_crypto".  NOTE:
+  Currently defaults to "false", but may default to "true" in a future
+  release.  Setting this variable to "false" will have the effect of
+  removing weak enctypes (currently defined to be all single-DES
+  enctypes) from permitted_enctypes, default_tkt_enctypes, and
+  default_tgs_enctypes.
+
+* Client library now follows client principal referrals, for
+  compatibility with Windows.
 
 * KDC can issue realm referrals for service principals based on domain
   names.
@@ -80,6 +102,11 @@ Major changes in 1.7
 * DCE RPC, including three-leg GSS context setup and unencapsulated
   GSS tokens.
 
+* NTLM recognition support in GSS-API, to facilitate dropping in an
+  NTLM implementation.
+
+* KDC support for principal aliases, if the back end supports them.
+
 * Microsoft set/change password (RFC 3244) protocol in kadmind.
 
 * Master key rollover support.
-- 
cgit