On Wed, Aug 10, 2016 at 11:05:43AM -0500, Nico Williams wrote: > Even the simplest reliable revocation schemes beyond having TGSes check > the client principal's record presume a high-performance pub-sub > protocol and implementation(s).
Reliable multicast type protocols would be nice for this, though a unicast (TCP-based, no doubt) protocol should be needed as well. I've tested a C10K tail-f service to 20k concurrent connections on loopback just fine, and that could be part of a unicast protocol. Modern async I/O APIs make this easy enough. Such a thing can scale by fanout too, so it's plenty scalable, though multicast would generally scale best in many networks. A revocation pub-sub protocol wouldn't be too difficult to design and implement. But it is work that would have to be done. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
