On Tue, Aug 14, 2012 at 3:41 PM, Roland C. Dowdeswell <[email protected]> wrote: > On Tue, Aug 14, 2012 at 10:47:42AM -0500, Nico Williams wrote: >> A few remarks regarding revocation: >> >> - For same realm client and service the TGS should check that the >> client principal is still valid. > > Right, but this only applies to services that are not in the ccache. > Given that many tickets may be in the caches when a client is > disabled, it's often safest to assume that the client will continue > to have access to quite a lot until the max life has passed. > >> - For x-realm tickets the most reasonable thing to do may be to >> shorten ticket life. > > It might also be reasonable to assign shorter lifetimes to all > service tickets excluding the main TGT but including all of the > xrealm TGTs. Of course, within a reasonable analysis of performance.
Agreed. Note that the client could refresh shorter-lived svc/x-realm tickets proactively. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
