Pasi,
The MAC will check out only if the servers are using the same key.
If the servers regularly generate new keys (as is suggested in the
Yes.
But perhaps the document should contain more explicit requirements
about key management (e.g. the keys used to protect the tickets
must not be used for any other purpose, including sharing with other
non-identical nodes)...
This change would be useful, I think. I would also like
to see the MAC/encryption-keys-are-independent requirement
that Bernard was talking about.
Yes, changing the algorithm for all clients is a realistic
possibility. But if you generate new keys when you change the
algorithm (which you really should do anyway), then it's enough
to verify that the MAC is correct (if it isn't, it isn't really
important to know why it was not correct).
Doesn't the key_version field also provide a hint
as to whether the ticket is something that you
can recognize? Presumably, you could have multiple
versions, if you wanted to support old/new algorithms
and associated keys for a while...
In any case, it seems that it would be useful to add
a requirement that new keys and key_version values
be generated upon algorithm/format changes.
--Jari
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf