[2735] in Kerberos
Re: The renewable-tickets feature
daemon@ATHENA.MIT.EDU (John T Kohl)
Tue Jun 29 09:17:39 1993
Date: Tue, 29 Jun 1993 08:41:44 -0400
From: John T Kohl <jtkohl@zk3.dec.com>
To: Shyh-Wei Luan <luan@eng.umd.edu>
Cc: kerberos@MIT.EDU, bcn@ISI.EDU
In-Reply-To: Shyh-Wei Luan's message of Mon, 28 Jun 1993 16:27:35 -0400,
> Date: Mon, 28 Jun 1993 16:27:35 -0400
> From: Shyh-Wei Luan <luan@eng.umd.edu>
> Hi,
> Section 2.3 (Renewable tickets) of the Kerberos V5 Internet-Draft spec.
> provides some explanations on why this feature could enhance security.
> However, it seems that some of the arguments provided there are unclear or
> invalid.
[...]
> Observations:
> Assume ticket thefts are always reported and stolen tickets (their authtime
> values and client-principal identities) are included in the TGS's hot-list.
[...]
> (2) If an application ticket is stolen, renewable tickets with a
> shorter lifetime would further limit the damage caused by the theft. However
> the same goal can be achieved simply by always requesting shorter-lived
> application tickets, and get new ones when the old ones expire. The renewal
> mechanism does not seem to be necessary for limiting the use of stolen
> application tickets.
... unless you do not have a TGT. If I am going to use long-lived
tickets in some variety of batch application, I would not entrust it
with a TGT. I would only give it the application ticket, and let it
renew that ticket.
John Kohl
