>> 	so upgrade plan would be:
>> 	- disable kerberos4 by default
>> 	- import openssl 0.9.7b (or latest), with kerberos-and-ssl stuff
>> 	  disabled.  shlib major bump.  kerberos portion would not build
>> 	  for a while, i guess?
>so, how do we deal with the api problem with openssl ?
>keep old libdes and don't remove the compat glue (by defining
>OPENSSL_DISABLE_OLD_DES_SUPPORT not including <openssl/des_old.h>) ?

	i'm not too sure about this part myself.  for a long time libcrypto ==
	libdes.  choices would be:
	- do not provide any backward compatibility support at all, i.e.
	  DES_xx only.  do not compile des_old.c.
	- split libcrypto and libdes.  maintain libdes (code from 0.9.6)
	  by ourselves.  libcrypto will provide DES_xx only.  do not compile
	  des_old.c.
	- others?

	i guess i like the second bullet myself, modulo maintenance cost.

itojun