how to "ban" clients?

Nico Williams nico at cryptonector.com
Tue Aug 2 15:58:08 EDT 2011


On Aug 2, 2011 9:47 AM, <greg at enjellic.com> wrote:
>
> On Jul 27, 12:19pm, Nico Williams wrote:
> > On Tue, Jul 26, 2011 at 6:59 AM,  <ghudson at mit.edu> wrote:
> > It'd be nice to have a standard revocation protocol for Kerberos...
>
> We have one, its called authorization.... :-)

Not if we insist on delivering auth z-data via kerberos tickets (see Simo's
PAD proposal.

Also, we don't re-authorize long-lived sessions constantly -- not at all
actually.  So, yes IMO we need a low latency revocation protocol.

Nico
--



More information about the Kerberos mailing list