On 05/02/2017 01:25 PM, Nico Williams wrote: > If it's at all possible to move this timestamp into an authenticator at > this point, I think that's the best solution.
I thought TLS clients were supposed to have even worse clocks (in terms of absolute time) than Kerberos clients. The current ticket_age scheme only requires the client's clock *rate* to be reasonable, not its absolute time. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
