[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ticket and SA lifetime (Re: kink-09)



At Wed, 7 Sep 2005 15:08:29 -0400,
Ken Raeburn <raeburn@xxxxxxx> wrote:
> 
> Relatively minor stuff:

> - Section 3.6: One case that might be worth mentioning is when the  
> user's tickets are going to expire at the end of the "hard lifetime  
> by time" of the SA.  In that case, unless there's some other reason  
> (lifetime by byte count?), there's no purpose in attempting to rekey,  
> because the new SA will have the same expiration time.  (This sort of  
> applies also in renewable-TGT or PKINIT or keytab cases when the KDC  
> isn't available to issue a new TGT, but that could be seen as  
> starting the rekey process and then failing.)  In some environments,  
> it may make sense to prompt the user to re-enter their password, but  
> until the new tickets are actually acquired (or the byte count gets  
> high enough), it makes no sense to continue.

Do you assume that the SA lifetime is truncated to the ticket endtime?

Is the lifetime of application session limited to the service ticket
in usual Kerberized applications?
I.e., if I (kerberized-)telnet to a remote host with a service ticket,
what will happen when the ticket expires?  Is the telnet session
disconnected?
# I can't find something on this in RFC 4120 or RFC 2942.


Sidenote: at least when Key Exchange payloads are used,
a ticket and an SA will have independent lifetimes.

-- 
KAMADA Ken'ichi <kamada@xxxxxxxxxx>