[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Certificate's endtime and PK-INIT

To: ietf-krb-wg@anl.gov
Subject: Certificate's endtime and PK-INIT
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Mon, 19 Sep 2005 22:56:32 +0200
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/22.0.50 (darwin)


l27.7: 

I think this text should be added as part of "3.2.2 Receipt of
Client Request" or "4. Security Considerations":

    The KDC MUST verify that the endtime of the requested ticket is
    before the end time (notAfter time) of the client certificate. The
    KDC should still issue the ticket if the certificate is valid, but
    limit the endtime to the expiration time of the certificate.

One argue that is really part of the folloing text in the security
considerations:

   PKINIT extends the cross-realm model to the public-key
   infrastructure.  Users of PKINIT must understand security policies
   and procedures appropriate to the use of Public Key Infrastructures
   [RFC3280].

But since I missed it, it might be good to add the text above.

PGP signature

Prev by Date: Re: heimdal-0.7.1rc2
Next by Date: Re: pkinit and krb5.conf [appdefaults] section
Prev by thread: Re: heimdal-0.7.1rc2
Next by thread: inter-Windows 2003/non-Windows Kerberos realm referrals [Re: Single DNS domain for Multiple Kerberos V5 Realms ?]
Index(es):
- Date
- Thread