[Kdc-info] Preliminary draft of LDAP Kerberos schema
Ken Raeburn
raeburn at MIT.EDU
Fri Jun 16 18:08:35 EDT 2006
On Jun 16, 2006, at 17:34, Luke Howard wrote:
>> I understood that the Microsoft implementation, or at least one
>> version of it, used a timestamp to generate the kvno, not a sequence
>> of small integers. The RFC 4120 protocol allows for 32-bit unsigned
>> kvno values.
>
> Was this pre-W2K3? I thought the kvno was fixed in W2K and the value
> of monotonically increasing msDS-KeyVersionNumber attribute in W2K3.
I don't recall what version. It's also possible I'm remembering
wrong and it's just something they mentioned possibly doing, or in
development versions, or something. I thought the notion did come
from MS though.
But in any case, as the RFC allows for it, and it would be practical
under 4120 for the next several decades (32-bit seconds => 136 years,
unsigned means 1970-2106), I don't think the schema should prohibit
it. (And by 2106 I expect we'll have revised the data format again.)
Ken
More information about the krbdev
mailing list