Russ Allbery <[email protected]> writes: > Or, in kx509, issuing an X.509 certificate from Kerberos credentials > with a lifetime longer than the underlying Kerberos credentials.
You'd think I'd actually read RFC 6717, considering. X.509 certificates are usually issued with considerably longer validity times than Kerberos tickets. Care should be taken that the issued certificate is not valid for longer than the intended policy should allow. Note that [RFC4556] Section 3.2.3.1 REQUIRES that the lifetime of an issued ticket not exceed the lifetime of the predecessor certificate. By analogy it is RECOMMENDED that the lifetime of an issued certificate not exceed the lifetime of the predecessor Kerberos ticket unless the implications with respect to local policy and supporting infrastructure are clearly understood and allow it. This is a directly analogous situation. This is not as strong as I've been arguing for. Perhaps it would be a good compromise to use similar language? -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
