HTTP && HTTPS Transport Review

Nico Williams nico at
Mon Aug 12 18:07:22 EDT 2013

On Mon, Aug 12, 2013 at 4:27 PM, Robbie Harwood <rharwood at> wrote:

I'm not sure that I agree that using GET is not RESTful (that's not
what you wrote, but that's the "in" way to say that "using GET is not
particularly in keeping with ..." :)

Getting a Kerberos credential is, notionally, an idempotent operation.
 You'll get a current, fresh, *cacheable* version every time you ask
provided that the pre-auth credentials (even in TGS exchanges there's
pre-auth, using an AP-REQ using a TGT) are valid and that the
cname/sname exist and are not locked.

That means that using GET to do AS and TGS exchanges is RESTful.

Password changes, on the other hand, are notionally not idempotent,
or, well, they *could* be, if the policy allows a user to change their
password to their current password at any time [without changing the
password expiration time].  But anyways.


More information about the krbdev mailing list