Nico, Thanks for the reply.
> Ticket renewal involves a TGS exchange, which means you need a valid TGT > in the first place, which means that renewable service tickets provide > not much benefit over non-renewable service tickets. > > In other words, a renewable service ticket cannot be renewed without a > valid TGT to authenticate the user principal to the KDC, but if you have > a valid TGT you might as well request a new service ticket rather than a > renewed service ticket. Suppose that the lifetime of TGT1 is 2 hours and it is renewed before it is expired and thus becomes TGT2. If it takes a hacker 3 hours to find out the session key in TGT1 and he captures all the packets on the network, then the hacker can decrypt the TGS exchange for the renewal and find out the session key in TGT2? Then he can impersonate as Paul for the remaining lifetime (1 hour) of TGT2 and get the next new session key when it is renewed again?
