Difference between 'expiration date' and 'Password expiration date'?

Dr. Greg Wettstein greg at wind.enjellic.com
Wed Mar 19 09:23:47 EST 2003


On Mar 19,  4:13am, Mitchell E Berger wrote:
} Subject: Re: Difference between 'expiration date' and 'Password expiration

> > > If you know that at a certain time, the individual with that
> > > principal is going to be leaving your company/school/whatever,
> > > this is a good way to ensure that they can no longer
> > > authenticate to your KDC after that time.

> > Why would I expire the PRINCIPAL, when I solve the above issue by
> > expiring the password? If the password is expired, the account
> > can't be used... I'm not getting it...

As I developed our services oriented authorization strategy for the
Hurderos project I actually thought about this issue a lot.  There are
certainly any number of good reasons to place a lifetime on a
principal.  Probably the most important is the issue that Ken raised
of limiting the finite lifetime of a service.

We actually solved this problem generically be considering that
everything, include authentication, is a service.  By placing a finite
lifetime on the service the same effect can be achieved without having
to fiddle with the KDC.  Once again this is all part of the design
trade-off between directories and the services managed by them.

There is a fair body of thinking in the security arena that stale,
forgotten and unused accounts represent a significant vulnerability in
many organizations.  Placing lifetimes on a 'service' can be used to
provide an additional layer of security which isn't dependent on a
security administrator or manager having to do something.

It seems that the wireless arena is the hottest thing on the face of
technology right now.  An upcoming challenge is going to be to provide
temporary user access to organizational networks, especially at
organizations such as universities, research centers etc.  I suspect
that limited lifetime services are going to be an essential part of
managing this challenge.

Best wishes to everyone for a productive mid-week.

Greg

}-- End of excerpt from Mitchell E Berger

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-4950
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"One problem with monolithic business structures is losing sight
of the fundamental importance of mathematics.  Consider committees;
commonly forgotten is the relationship that given a projection of N
individuals to complete an assignment the most effective number of
people to assign to the committee is given by f(N) = N - (N-1)."
                                -- Dr. G.W. Wettstein
                                   Guerrilla Tactics for Corporate Survival


More information about the Kerberos mailing list