[Kdc-info] Re: comments on draft-johansson-kerberos-model-00
Leif Johansson
leifj at it.su.se
Sun Nov 9 19:52:57 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ken Raeburn wrote:
| Leif Johansson <leifj at it.su.se> writes:
|
|
|>4.1.2 Principal: Associations
|>
|> Each principal MUST be associated with exactly one KeySet and MAY be
|> associated with 1 or more Policies. The KeySet is represented as an
|> object in this model since it has attributes associated with it (the
|> key version number).
|
|
| We need to support multiple KeySets in at least a couple cases:
|
Agreed. This was an oversight on my part.
| * KDC needs an old key to renew a renewable ticket issued before the
| service's key was changed
|
| * KDC accepting TGTs issued before the TGS key was changed
|
| We may need to support zero KeySets if we want the information model
| to apply to principals that always authenticate via PKINIT.
Oki.
MVH leifj
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/ruFo8Jx8FtbMZncRAnj9AKCWaq4+L3C3JHOS6pQ7bKxLP6130gCgtP1+
rImgYOAlPygtCXmZ/7o5Kmg=
=qVTl
-----END PGP SIGNATURE-----
More information about the kdc-info
mailing list