[17546] in Kerberos_V5_Development
Re: clock skew and preauth
daemon@ATHENA.MIT.EDU (Stef Walter)
Thu Apr 5 13:52:00 2012
Message-ID: <4F7DDBB6.1050908@gnome.org>
Date: Thu, 05 Apr 2012 19:51:50 +0200
From: Stef Walter <stefw@gnome.org>
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <CAK3OfOgpVU+rCGCyM=bVaaOdBHwNwuEXFwkUPBYyFHFQ1vxxnw@mail.gmail.com>
Cc: krbdev@mit.edu, tlyu@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 2012-04-05 19:48, Nico Williams wrote:
> If we're going to go this far, why not associate a realm name with
> each offset? That way a multi-client-principal application can cope
> with each client realm having the wrong time.
Yes, I was going to look at that next ;)
But this preauth stuff is (and should be) conceptually separate. The
preauth server timestamp is untrusted, and so we shouldn't store it
anywhere. It's just to be used in the next encrypted timestamp preauth
reply. Essentially it becomes a challenge that we receive from the
server, which we respond to by encrypting it and sending it back.
Cheers,
Stef
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
