New proposal (Re: Ticket 5338: Race conditions in key rotation)
Nicolas Williams
Nicolas.Williams at sun.com
Wed Jun 25 16:14:28 EDT 2008
On Wed, Jun 25, 2008 at 03:00:24PM -0500, Nicolas Williams wrote:
> I doubt very much that you could get KRB-WG and IETF consensus such a
> change to RFC4120 anytime soon. Therefore I strongly recomment that you
> pursue both: (1) and (2b).
As for the rationale:
- I understand that in some environments it's easier to update the
clients than the KDCs, but that's not always the case (it's almost
always technically, if not politically, easier to update the KDCs).
Thus a client-side fix can be very desirable in some cases.
- However, I believe a client-side fix here, particularly one that lets
the KDC implementor off the hook, creates pressure on other client
implementors to adopt the same fix.
That would be a backdoor change to a standards track Internet
protocol.
- Therefore I propose that you either make that change to the protocol
through normal channels (i.e., publis a new standards track RFC
updating the old one), or that you provide a KDC-side solution so
that other client implementors have a way out of having to implement
this behavior.
Nico
--
More information about the krbdev
mailing list