On Wed, 2011-07-27 at 06:35 -0400, Chris Hecker wrote: > Okay, I implemented this today.
We may add a feature like this at some point, in order to provide fast revocation for high-value services. In order to get any solid security guarantees, the service would need to set a short maximum lifetime, and would need to force reauthentications upon ticket expiration. I can't provide any timeline, though. Relative to your patch, we would likely need to address: * Precisely how the client lookup should be done (what flags, basically). Canonicalization of the client principal should not generally be needed since it will have been done during the AS request. * Consideration of edge cases, such as when the client principal entry has been deleted or renamed or deleted and recreated since the AS request. * Consideration of whether to extend the DAL interface's TGS verification function to take the client DB entry as input when available. * A long-overdue refactoring of the TGS code path before additional complexity is added to it. * Documentation. * Automated test cases. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos