[Kdc-info] comments on draft-johansson-kerberos-model-00
Ken Raeburn
raeburn at MIT.EDU
Sun Nov 9 19:06:24 EST 2003
Leif Johansson <leifj at it.su.se> writes:
> 4.1.2 Principal: Associations
>
> Each principal MUST be associated with exactly one KeySet and MAY be
> associated with 1 or more Policies. The KeySet is represented as an
> object in this model since it has attributes associated with it (the
> key version number).
We need to support multiple KeySets in at least a couple cases:
* KDC needs an old key to renew a renewable ticket issued before the
service's key was changed
* KDC accepting TGTs issued before the TGS key was changed
We may need to support zero KeySets if we want the information model
to apply to principals that always authenticate via PKINIT.
Ken
More information about the kdc-info
mailing list