directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: [Kerberos] FYI, draft Kerberos schema
Date Mon, 14 May 2007 03:52:04 GMT
On 5/10/07, Enrique Rodriguez <enriquer9@gmail.com> wrote:
> ...
> I pinged the Novell authors, since the author of [2] is also at
> Novell, so maybe there's no need for the overlap in password policy
> and I was curious if they had any thoughts on licensing.

I found another issue with the Kerberos schema [1].  They don't store
the time at which keys were created.  When a key is exported from a
store to a keytab file, eg for use on a service host, the keytab entry
for each key has a timestamp field representing the time at which the
key was created.  I couldn't see how to determine the time at which a
key is created from the proposed schema, so I reported this to the
authors at Novell.

There is a 'krbLastPwdChange' which one could assume is the time the
keys were created, but this would only apply to keys derived from
passwords.  The semantics would be wrong for random keys generated for
a service host.

Enrique

[1] http://mailman.mit.edu/pipermail/kdc-schema/attachments/20060803/caceb865/draft-rajasekaran-kerberos-ldap-schema-01-0001.txt

[2] http://tools.ietf.org/html/draft-behera-ldap-password-policy-09

Mime
View raw message