Clock skew too great status code

Nico Williams nico at cryptonector.com
Wed Feb 5 14:47:10 EST 2014


On Wed, Feb 5, 2014 at 11:05 AM, Greg Hudson <ghudson at mit.edu> wrote:
> This could all work better if krb5 had used a ticket lifetime instead of
> an end time (like krb4 did, but without the crazy 8-bit representation
> of the lifetime).  But the protocol was designed under the assumption
> that clients, servers, and KDCs would all have mostly synchronized
> clocks, so it went with the simplification of always using absolute
> timestamps and never relative intervals.

And yet implementation-wise relative times are still needed...  I
agree, 'twould have been better to have relative lifetime.


More information about the Kerberos mailing list