[AFS3-std] Re: rxgk token expiry
Simon Wilkinson
simon@sxw.org.uk
Thu, 1 Nov 2012 11:14:19 +0000
On 1 Nov 2012, at 03:42, Benjamin Kaduk wrote:
> I think we can only make a weak statement in this document, and =
proposed as such in my commit:
> <t hangText=3D"expiration">The time, expressed as an rxgkTime, =
at which
> - this token expires.</t>
> + this token expires. The expiration time MAY be set =
administratively
> + by the server, and SHOULD reflect the expiration time of the
> + underlying GSSAPI credential.</t>
>=20
> The server application has freedom to lower, or increase, the expiry =
time of the underlying credential, but should take that underlying =
credential into account as appropriate for the application.
I'm happy with the intent behind this, although I wonder if the wording =
leaves the possibility that the server could set no expiration time at =
all, which we obviously want to avoid.
To address another point that has come up in this thread, I should note =
that the GSSAPI does expose an expiration time for a security context, =
so getting the information to do this isn't a problem.
Cheers,
Simon.=