[17331] in Kerberos_V5_Development
Re: Make krb5int_check_clockskew() public?
daemon@ATHENA.MIT.EDU (Linus Nordberg)
Sun Oct 30 10:24:58 2011
To: krbdev@mit.edu
From: Linus Nordberg <linus@nordu.net>
Date: Sun, 30 Oct 2011 15:24:48 +0100
Message-ID: <yszty6qy2tr.fsf@nordberg.se>
Mime-Version: 1.0
X-Complaints-To: usenet@dough.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Sam Hartman <hartmans@mit.edu> wrote
Sat, 29 Oct 2011 18:35:08 -0400:
| Your ASN.1 decoder is mighty strange if it produces a structure
| depending on size of the armor key from an encrypted timestamp preauth.
The timestamp we're verifying here is not standardised and is hiding in
the nonce field of the PA-OTP-CHALLENGE. The definition of the nonce
field was changed (in -18 IIRC) to make it possible to include a
timestamp in the nonce. This relieves the KDC from holding state for
this.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
