What do you want from your credentials cache? (was Credential cache searching, ccapi and file caches)

Matt Crawford crawdad at fnal.gov
Thu Jul 15 15:54:09 EDT 2004

> The Questions:

My site seems to be near the lunatic fringe (some days), so I'll answer 
from our viewpoint.

> 1) Do users need the ability to be able to switch between two TGTs 
> with the same client principal?

In theory, some user will want to do this some day.  In practice, such 
a user and such a day will be so rare that I'd "just say no."

> 2) When searching through TGTs, what kind of control would the user 
> want?  Obviously we want to be able to turn searching off, but do we 
> want something finer-grained?

I can only imagine a non-trivial number of users wanting the following 

0. Use the credentials (or client principal) I specify.
1. Use a credential with the first component I specify.
2. Use a credential with the second component (instance) I specify.
3. Choose the credential with the "best" realm match for the service.

> 3) How many different non-cross-realm client principals do users 
> usually get?  How many service tickets do users usually get per client 
> principal?  If you envision larger numbers in the near future, use 
> those instead.

Today: 1 to 3 client principals, 1 to 20 service tickets.
Five years out: 1 to 6 client principals, up to a few hundred service 

> 4) Would it be acceptable to only implement the searching for 
> CCAPI-based caches and just leave the file-based cache behavior as is?

When CCAPI is available on other platforms, yes.

More information about the krbdev mailing list