The other solution I can imagine is creating an anonymous memory ccache variant which destroys itself on exit. There would be implications for the current implementation of krb5_cc_dup(), as well as any code which tries to use the ccache name. A flag in the gss-krb5 creds structure is probably more conservative, and is fine for now.