[AFS3-std] Re: rxgk token expiry
Russ Allbery
rra@stanford.edu
Wed, 31 Oct 2012 20:12:57 -0700
Russ Allbery <rra@stanford.edu> writes:
> Or, in kx509, issuing an X.509 certificate from Kerberos credentials
> with a lifetime longer than the underlying Kerberos credentials.
You'd think I'd actually read RFC 6717, considering.
X.509 certificates are usually issued with considerably longer validity
times than Kerberos tickets. Care should be taken that the issued
certificate is not valid for longer than the intended policy should
allow. Note that [RFC4556] Section 3.2.3.1 REQUIRES that the lifetime
of an issued ticket not exceed the lifetime of the predecessor
certificate. By analogy it is RECOMMENDED that the lifetime of an
issued certificate not exceed the lifetime of the predecessor Kerberos
ticket unless the implications with respect to local policy and
supporting infrastructure are clearly understood and allow it.
This is a directly analogous situation. This is not as strong as I've
been arguing for. Perhaps it would be a good compromise to use similar
language?
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>