Troy Benjegerdes <[email protected]> writes: > I think this also makes it quite clear the need for an Rxk5 standard, in > addition to rxgk that explicitly directly uses Kerberos 5 tickets *as* > tokens, and continues to provide the robust 'you lose access when your > tickets expire' behavior that users, and administrators expect.
It really doesn't. rxgk is superior to rxk5, including in fixing some security vulnerabilities that rxk5 would still have around protection of callback data. You don't get anything from rxk5 that you don't also get from rxgk. > There are also cases where we're going to need rxgk tokens that exist > longer than kerberos authorization. Why? I don't see why this is any more necessary than having rxkad tokens exist longer than the underlying Kerberos ticket would be. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
