Fast Negotiation: renewed and validated credentials

Sam Hartman hartmans at MIT.EDU
Fri Nov 20 12:16:37 EST 2009

I've discovered another problem; comments greatly appreciated.
This is from the wiki writeup:
Another complexity is handling of renewed and validated credentials.   Currently, the APIs for handling renewal and credential validation take a ccache, but do not write credentials out to the ccache.  Since there is no API documentation it's not clear what behavior changes are acceptable.  For a program today that runs the renewal and then replaces the credentials in the cache, writing out the credentials would be a no-op.  For a program that expects credentials unrelated to the renewal to remain in the cache and be undisturbed, that behavior change would be significant. Another approach might be to preserve set_config state across calls to krb5_cc_initialize.  That should not affect existing code, although it would make it difficult to unset configuration state in a ccache.

More information about the krbdev mailing list