[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Ticket and SA lifetime (Re: kink-09)
- To: Ken Raeburn <raeburn@xxxxxxx>
- Subject: Re: Ticket and SA lifetime (Re: kink-09)
- From: Michael Thomas <mat@xxxxxxxxx>
- Date: Fri, 30 Sep 2005 12:44:12 -0700
- Authentication-results: imail.cisco.com; header.Fromfirstname.lastname@example.org; dkim=pass ( message from cisco.com verified; );
- Cc: "KAMADA Ken'ichi" <kamada@xxxxxxxxxx>, ietf-kink@xxxxxxxx
- Dkim-signature: a=rsa-sha1; q=dns; l=796; t=1128110134; x=1128542334; c=nowsp; s=nebraska; h=Subject:From:Date:Content-Type:Content-Transfer-Encoding; d=cisco.com; email@example.com; z=Subject:Re=3A=20Ticket=20and=20SA=20lifetime=20(Re=3A=20kink-09)| From:Michael=20Thomas=20<firstname.lastname@example.org>| Date:Fri,=2030=20Sep=202005=2012=3A44=3A12=20-0700| Content-Type:text/plain=3B=20charset=3DISO-8859-1=3B=20format=3Dflowed| Content-Transfer-Encoding:7bit; b=ekHNA1luAW01LqI4TlVkG4U+hLWkHhXgsoT6tbjboJhnJX2nkzqdFj0mCu/heeLdBlnnFrLg ddyQJ2e2XebJeV1qkbRsWUwHiHukblikd+gkqRtDO6YXGUU4EuOqMbU7YmTt2mWnfBWzj37kJ4w MwQ0KEjBpkKyhclmi2KZJyQ0=
- In-reply-to: <>
- List-archive: <http://www.vpnc.org/ietf-kink/mail-archive/>
- List-id: <ietf-kink.vpnc.org>
- List-unsubscribe: <mailto:email@example.com?body=unsubscribe>
- References: <> <> <>
- Sender: owner-ietf-kink@xxxxxxxxxxxxx
- User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Thunderbird/0.8 Mnenhy/0.7.2.0
Ken Raeburn wrote:
On Sep 13, 2005, at 21:24, KAMADA Ken'ichi wrote:
Do you assume that the SA lifetime is truncated to the ticket endtime?
For some reason I was thinking it was, but now I see nothing in the
draft to support that.
Is the lifetime of application session limited to the service ticket
in usual Kerberized applications?
I.e., if I (kerberized-)telnet to a remote host with a service ticket,
what will happen when the ticket expires? Is the telnet session
# I can't find something on this in RFC 4120 or RFC 2942.
It depends on the application. Sometimes the session dies immediately,
sometimes the session is kept open indefinitely.
Sorry, I should've checked more closely....
Then so long as the IKE phase 2 negotiations have the
ability for the receiver to minimize the lifetime (which
I think it does), then I don't really think there's much
if anything that the spec needs to say about this.