longer ticket life vs auto renew
Nico Williams
nico at cryptonector.com
Tue Aug 14 17:20:13 EDT 2012
On Tue, Aug 14, 2012 at 3:41 PM, Roland C. Dowdeswell <elric at imrryr.org> wrote:
> On Tue, Aug 14, 2012 at 10:47:42AM -0500, Nico Williams wrote:
>> A few remarks regarding revocation:
>>
>> - For same realm client and service the TGS should check that the
>> client principal is still valid.
>
> Right, but this only applies to services that are not in the ccache.
> Given that many tickets may be in the caches when a client is
> disabled, it's often safest to assume that the client will continue
> to have access to quite a lot until the max life has passed.
>
>> - For x-realm tickets the most reasonable thing to do may be to
>> shorten ticket life.
>
> It might also be reasonable to assign shorter lifetimes to all
> service tickets excluding the main TGT but including all of the
> xrealm TGTs. Of course, within a reasonable analysis of performance.
Agreed. Note that the client could refresh shorter-lived svc/x-realm
tickets proactively.
Nico
--
More information about the Kerberos
mailing list