clock skew and preauth
Nico Williams
nico at cryptonector.com
Thu Apr 5 14:44:37 EDT 2012
On Thu, Apr 5, 2012 at 12:51 PM, Stef Walter <stefw at gnome.org> wrote:
> On 2012-04-05 19:48, Nico Williams wrote:
>> If we're going to go this far, why not associate a realm name with
>> each offset? That way a multi-client-principal application can cope
>> with each client realm having the wrong time.
>
> Yes, I was going to look at that next ;)
>
> But this preauth stuff is (and should be) conceptually separate. The
> preauth server timestamp is untrusted, and so we shouldn't store it
> anywhere. It's just to be used in the next encrypted timestamp preauth
> reply. Essentially it becomes a challenge that we receive from the
> server, which we respond to by encrypting it and sending it back.
Ah, fair enough. But what about the per-ccache time offset? It
normally gets stored in the krb5_context.
Nico
--
More information about the krbdev
mailing list