On 08/09/2012 09:42 AM, Matt Garman wrote: > Perhaps I didn't look hard enough, but I haven't been able to find a > discussion on why one might choose one option over the other. I was > hoping some of the list members might weigh in with their thoughts.
Practically speaking, I think the main security difference is that if you abandon a renewable ticket without destroying it for a while (until its current lifetime is expired, but before its renewable lifetime is) and someone else recovers it, they can't use it. But if the ticket has a really long lifetime, they can. On the flip side, you have to run something like krenew to keep the ticket from expiring while you're using it. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos