libapache2-webkdc (3.3.0-1) unstable; urgency=low S/Ident support has been removed from WebAuth due to the discovery of a protocol flaw that allows active man-in-the-middle attacks. WebAuth is particularly vulnerable to such an attack because all WebAuth users regularly go to the central weblogin server and exploiting this vulerability would have allowed capture of a single sign-on cookie for the victim. If you were using S/Ident in your WebKDC, you will need to remove any WebKdcSIdentAuthType and WebKdcSIdentTimeout settings in your Apache configuration. -- Russ Allbery Tue, 4 Oct 2005 21:28:12 -0700