[39242] in Kerberos
Re: help with OTP
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon May 1 16:48:00 2023
From: Russ Allbery <eagle@eyrie.org>
To: Charles Hedrick <hedrick@rutgers.edu>
CC: Ken Hornstein via Kerberos <kerberos@mit.edu>,
Ken Hornstein
<kenh@cmf.nrl.navy.mil>
In-Reply-To: <PH0PR14MB549307B0C36B735AE3375F33AA6E9@PH0PR14MB5493.namprd14.prod.outlook.com>
(Charles Hedrick's message of "Mon, 1 May 2023 20:29:31 +0000")
Date: Mon, 01 May 2023 13:43:07 -0700
Message-ID: <87fs8fiy04.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Charles Hedrick <hedrick@rutgers.edu> writes:
> Anonymous PKINIT works fine but requires certs to be distributed. Unless
> you're prepared to update every machine in the world every year, you
> pretty much have to use a cert that goes back to a commercial CA.
Because you have to distribute the certs to the client anyway, you can use
self-signed certificates and set whatever expiration you want. There's
the standard tradeoff of long certificate lifetime, but so far as I know
there's no reason why you can't set your KDC public key certificate
lifetime to 50 years or whatever.
I agree with your other points, though.
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
