diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 4440ae6bb..307dd75cd 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1001,10 +1001,8 @@ tgs_check_authenticator(krb5_auth_context ac,
 	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
 	goto out;
     }
-    /* XXX */
-    if (auth->cksum->cksumtype != CKSUMTYPE_RSA_MD4 &&
-	auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5 &&
-	auth->cksum->cksumtype != CKSUMTYPE_RSA_MD5_DES){
+    if (!krb5_checksum_is_keyed(auth->cksum->cksumtype)
+	|| !krb5_checksum_is_collision_proof(auth->cksum->cksumtype)) {
 	kdc_log(0, "Bad checksum type in authenticator: %d", 
 		auth->cksum->cksumtype);
 	ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;
diff --git a/lib/krb5/rd_safe.c b/lib/krb5/rd_safe.c
index 54e4a6fc7..693773cea 100644
--- a/lib/krb5/rd_safe.c
+++ b/lib/krb5/rd_safe.c
@@ -62,8 +62,8 @@ krb5_rd_safe(krb5_context context,
       r = KRB5KRB_AP_ERR_MSG_TYPE;
       goto failure;
   }
-  /* XXX - checksum collision-proff and keyed */
-  if (safe.cksum.cksumtype != CKSUMTYPE_RSA_MD5_DES) {
+  if (!krb5_checksum_is_keyed(safe.cksum.cksumtype)
+      || !krb5_checksum_is_collision_proof(safe.cksum.cksumtype)) {
       r = KRB5KRB_AP_ERR_INAPP_CKSUM;
       goto failure;
   }