Authentication strength and ticket policy

[Matt Rogers]

On the call we briefly discussed the request to be able to influence
the ticket lifetime based on the preauth method used (ie. shorter
lifetimes for 2FA tickets).  It would be good to continue the
discussion here. 

To summarize, my understanding is that there is not a good way to do
this with auth indicators and the current AS/TGS policy code. The
authentication level may be desireable for influencing not just ticket
lifetime but other bits of policy, like the session key type, so we
would need a type of KDC policy interface (KDB?) in order to be
sufficiently generic. Then at that point plugins can be written to
support these kinds of policy decisions.

Regards,
Matt