On Wed, 2015-02-11 at 12:21 +1300, Andrew Bartlett wrote: > On Tue, 2015-02-10 at 22:04 +0000, Edgar Olougouna wrote: > > Andrew, > > I will take a look and follow-up. > > Considering that NotBefore/NotAfter properties specify the date range > > within which the certificate is valid, are you asking whether this is > > any renewal upon/after expiry? > > Yes. > > > I need to look at how the certificate is generated at the first place, > > perhaps the protocol has some error condition that would trigger > > refreshing the certificate, unless this is outside the protocol I will > > find out. > > I am trying to get a good scope of what you mean by "roll over keys". > > So, the above, and for the symmetric keys the general principal in > cryptography that you try not to use the same key forever, because it > could be broken, and that would expose everything. > > The protocol clearly has scope for the preferred key to change (decrypt > old data with old keys, but encrypt new data with a new day), but as > described, it never would.
BTW, I tried to manually roll over the keys by deleting G$BCKUPKEY_P, but it appears to cache it at runtime, as no new G$BCKUPKEY_P appeared until I rebooted the server. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
