On 1 Nov 2012, at 03:42, Benjamin Kaduk wrote: > I think we can only make a weak statement in this document, and proposed as > such in my commit: > <t hangText="expiration">The time, expressed as an rxgkTime, at which > - this token expires.</t> > + this token expires. The expiration time MAY be set administratively > + by the server, and SHOULD reflect the expiration time of the > + underlying GSSAPI credential.</t> > > The server application has freedom to lower, or increase, the expiry time of > the underlying credential, but should take that underlying credential into > account as appropriate for the application.
I'm happy with the intent behind this, although I wonder if the wording leaves the possibility that the server could set no expiration time at all, which we obviously want to avoid. To address another point that has come up in this thread, I should note that the GSSAPI does expose an expiration time for a security context, so getting the information to do this isn't a problem. Cheers, Simon._______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
