File: freshness_token.rst.txt

package info (click to toggle)
krb5 1.17-3%2Bdeb10u4
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 53,236 kB
  • sloc: ansic: 305,293; exp: 13,345; cpp: 9,731; javascript: 9,118; python: 8,980; makefile: 7,216; sh: 6,279; perl: 2,391; asm: 1,460; yacc: 1,005; awk: 396; csh: 147; xml: 135; lisp: 104; sed: 41
file content (19 lines) | stat: -rw-r--r-- 878 bytes parent folder | download | duplicates (10) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
PKINIT freshness tokens
=======================

:rfc:`8070` specifies a pa-data type PA_AS_FRESHNESS, which clients
should reflect within signed PKINIT data to prove recent access to the
client certificate private key.  The contents of a freshness token are
left to the KDC implementation.  The MIT krb5 KDC uses the following
format for freshness tokens (starting in release 1.17):

* a four-byte big-endian POSIX timestamp
* a four-byte big-endian key version number
* an :rfc:`3961` checksum, with no ASN.1 wrapper

The checksum is computed using the first key in the local krbtgt
principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM``
if the request is to the ``KRBTEST.COM`` realm) of the indicated key
version.  The checksum type must be the mandatory checksum type for
the encryption type of the krbtgt key.  The key usage value for the
checksum is 514.