Automatic FAST via Anonymous PKINIT

Nico Williams nico at
Fri May 30 10:16:07 EDT 2014

Greg's #1 works, just inefficiently.  It's a lot better than nothing and a
no-brainer.  #2 doesn't help much.  #3 might be more useful than you think,
but I'd store the FAST armor ticket (it's constrained, isn't it?) in the
normal ccache, with a link to it from a ccconfig entry.  #4 is clearly
desirable from a systems pov, though i would prefer an IPC protocol so as
to be better able to apply least privilege principles.  Still, #4 looks
very nice, so it gets my +1.


More information about the krbdev mailing list