OSF DCE Application Development Guide--Core Components
The Login API
29.3 Handling Expired Certificates of Identity
For a dishonest principal to make use of an intercepted certificate of identity, it must
succeed in decrypting it. In order to make the task of decryption more difficult, a
certificate of identity has a limited lifespan; and, once it expires, the associated login
context is no longer valid.
Because this security feature may inconvenience users, an application may wish to warn
a user when the certificate of identity is about to expire. The
sec_login_get_expiration( ) routine returns the expiration date of a certificate of
identity. When a certificate of identity is about to expire, the application may call
sec_login_refresh_identity(), which may be used to refresh any login context.
Similarly, a server principal may need to determine whether a certificate of identity may
expire during some long network operation and, if the certificate of identity is likely to
expire, refresh it to ensure that the operation is not prevented from completion.
Following is an example:
sec_login_get_expiration (login_context,&expire_time,&st);
if (expire_time < (current_time + operation_duration))
{
if (sec_login_refresh_identity(login_context,&st))
{
...identity has changed and must be validated again...
}
else
{
...login context cannot be renewed...
exit(0);
}
}
operation();
Because sec_login_refresh_identity( ) acquires a certificate of identity, refreshed
contexts must be revalidated with sec_login_validate_identity( ) or
sec_login_valid_and_cert_ident( ) before they can be used.
The expiration date of a login context has no meaning with respect to local identity
information; for the same reason, sec_login_refresh_identity( ) cannot refresh a login
context that has been authenticated locally.
124245 Tandem Computers Incorporated 29−5