On Wed, Aug 09, 2017 at 01:11:07PM -0500, Nico Williams wrote:
> On Wed, Aug 09, 2017 at 06:01:26PM +0000, Viktor Dukhovni wrote:
> > On Wed, Aug 09, 2017 at 07:34:15PM +0200, Harald Barth wrote:
> >
> > > Btw, one of my ticket caches looks like this (probably MIT library):
> > >
> > > Issued Expires Principal
> > > Aug 5 18:06:47 2017 Aug 12 18:06:45 2017
> > > krbtgt/besserwisser....@besserwisser.org
> > > Aug 5 18:06:50 2017 >>>Expired<<<
> > > imap/jaja.besserwisser....@besserwisser.org
> > > Aug 6 18:35:34 2017 >>>Expired<<<
> > > imap/jaja.besserwisser....@besserwisser.org
> > > Aug 8 09:08:14 2017 >>>Expired<<<
> > > imap/jaja.besserwisser....@besserwisser.org
> > > Aug 9 09:12:16 2017 Aug 10 09:12:16 2017
> > > imap/jaja.besserwisser....@besserwisser.org
> > >
> > > There is no reason that the expired service tickets are kept around,
> > > but in this case, the code seems to keep them and append new tickets
> > > at the end instead.
> >
> > By design, the "FILE" credential cache type is *append-only*. Much
> > fancier read-write locking and recovery would be needed for a cache
> > where entries can be deleted and replaced.
>
> Actually, no, the FILE ccache does support deletion, certainly in
> Heimdal 7.x.
That's in-place invalidation, not deletion. I was talking about
deletion.
--
Viktor.
