help with OTP
Russ Allbery
eagle at eyrie.org
Mon May 1 16:43:07 EDT 2023
Charles Hedrick <hedrick at rutgers.edu> writes:
> Anonymous PKINIT works fine but requires certs to be distributed. Unless
> you're prepared to update every machine in the world every year, you
> pretty much have to use a cert that goes back to a commercial CA.
Because you have to distribute the certs to the client anyway, you can use
self-signed certificates and set whatever expiration you want. There's
the standard tradeoff of long certificate lifetime, but so far as I know
there's no reason why you can't set your KDC public key certificate
lifetime to 50 years or whatever.
I agree with your other points, though.
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list