Charles Hedrick <hedr...@rutgers.edu> writes: > Anonymous PKINIT works fine but requires certs to be distributed. Unless > you're prepared to update every machine in the world every year, you > pretty much have to use a cert that goes back to a commercial CA.
Because you have to distribute the certs to the client anyway, you can use self-signed certificates and set whatever expiration you want. There's the standard tradeoff of long certificate lifetime, but so far as I know there's no reason why you can't set your KDC public key certificate lifetime to 50 years or whatever. I agree with your other points, though. -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos