On Wednesday, October 31, 2012 8:15:07 PM, Benjamin Kaduk wrote: > On Mon, 29 Oct 2012, Jeffrey Hutzelman wrote: > >> On Mon, 2012-10-29 at 16:57 -0500, Andrew Deason wrote: >> >>>> commit 13a2d01b722969da997f1878ad176991fb0ffabc >>>> Author: Ben Kaduk <[email protected]> >>>> Date: Wed Oct 24 23:26:49 2012 -0400 >>>> >>>> Clarify token expiry >>> >>> For krb5-based tokens, does this have any relevance for renewable >>> tickets? That is, if our expiration time is in 10 hours, but we are >>> renewable for 7 days, we want this field to specify the 'expiration >>> time' in 7 days from now, not 10 hours, correct? Or does that just >>> result in an entirely new connection because the token is effectively >>> entirely new? (I feel like this is obvious, but after reading this text >>> for a while I tend to get confused easily... :) >> >> No, the token has to expire in 10 hours, when the ticket does. The >> renewable lifetime of a ticket only tells you for how long the KDC will >> let you get a new ticket by presenting the old one to the TGS. > > I agree with jhutz; we must use the ticket that we have, not the > ticket that we could have. > > -Ben
I disagree. The valid lifetime of an rxgk token does not need to be the same as the Kerberos ticket lifetime or the X.509 client certificate lifetime or whatever is applicable for OATH. For rxkad the token is Kerberos ticket and I'm willing to accept that as a result the rxkad lifetime matches the Kerberos ticket lifetime. However, an rxgk token is not a Kerberos ticket. It is explicitly and intentionally independent. I want the rxgk token lifetime to be specified by policy. For example, all rxgk tokens in a particular environment may have a fixed lifetime. For AFS that might be one hour from time of authentication. For BOS that might be five minutes. Tying the AFS token lifetime to the remaining lifetime of the Kerberos TGT has proven to be a usability nightmare. If there is one thing that end user organizations ask more than anything else it is "how can I request an afs token that will always provide a guaranteed minimum lifetime?" If an organization wants the token lifetime to be tied to the Kerberos ticket lifetime that can be the administrators choice but it should not be a requirement. Certainly not for a standard that is not Kerberos specific. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
