On Tue, Aug 14, 2012 at 10:47:42AM -0500, Nico Williams wrote: > > On Mon, Aug 13, 2012 at 7:05 AM, Mark Pr?hl <m...@mproehl.net> wrote: > > if a ticket has been issued to the client, the KDC cannot revoke that > > ticket, even if the client is deleted or disabled. But if the client > > needs to do a renew request from time to time, the KDC might not issue > > new tickets if the client is deleted or disabled. > > A few remarks regarding revocation: > > - For same realm client and service the TGS should check that the > client principal is still valid.
Right, but this only applies to services that are not in the ccache. Given that many tickets may be in the caches when a client is disabled, it's often safest to assume that the client will continue to have access to quite a lot until the max life has passed. > - For x-realm tickets the most reasonable thing to do may be to > shorten ticket life. It might also be reasonable to assign shorter lifetimes to all service tickets excluding the main TGT but including all of the xrealm TGTs. Of course, within a reasonable analysis of performance. -- Roland Dowdeswell http://Imrryr.ORG/~elric/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos