"revoking" a TGT?
Nico Williams
nico at cryptonector.com
Wed Aug 10 12:20:02 EDT 2016
On Wed, Aug 10, 2016 at 11:05:43AM -0500, Nico Williams wrote:
> Even the simplest reliable revocation schemes beyond having TGSes check
> the client principal's record presume a high-performance pub-sub
> protocol and implementation(s).
Reliable multicast type protocols would be nice for this, though a
unicast (TCP-based, no doubt) protocol should be needed as well.
I've tested a C10K tail-f service to 20k concurrent connections on
loopback just fine, and that could be part of a unicast protocol.
Modern async I/O APIs make this easy enough. Such a thing can scale by
fanout too, so it's plenty scalable, though multicast would generally
scale best in many networks.
A revocation pub-sub protocol wouldn't be too difficult to design and
implement. But it is work that would have to be done.
Nico
--
More information about the Kerberos
mailing list