[Kdc-info] Preliminary draft of LDAP Kerberos schema
Jeffrey Hutzelman
jhutz at cmu.edu
Sun Jun 18 01:37:13 EDT 2006
On Friday, June 16, 2006 06:08:35 PM -0400 Ken Raeburn <raeburn at mit.edu>
wrote:
> On Jun 16, 2006, at 17:34, Luke Howard wrote:
>>> I understood that the Microsoft implementation, or at least one
>>> version of it, used a timestamp to generate the kvno, not a sequence
>>> of small integers. The RFC 4120 protocol allows for 32-bit unsigned
>>> kvno values.
>>
>> Was this pre-W2K3? I thought the kvno was fixed in W2K and the value
>> of monotonically increasing msDS-KeyVersionNumber attribute in W2K3.
>
> I don't recall what version. It's also possible I'm remembering
> wrong and it's just something they mentioned possibly doing, or in
> development versions, or something. I thought the notion did come
> from MS though.
>
> But in any case, as the RFC allows for it, and it would be practical
> under 4120 for the next several decades (32-bit seconds => 136 years,
> unsigned means 1970-2106), I don't think the schema should prohibit
> it. (And by 2106 I expect we'll have revised the data format again.)
Of course, RFC4120 is relevant only for the prinicpal kvno. Since the
mkvno never actually appears on the wire...
More information about the krbdev
mailing list