> No, the only way in which a revocation protocol for Kerberos makes any > sense to me is one that involves propagating notices to those services (TGSes > included) for which the principal in question got extant tickets.
Good. :) Do that. Seems that the KDC would have to be upgraded with connection info for services (can't trust that instance name == dns; can't trust that the service is running on the standard port). Oh, and if the service is httpd, slapd, or nfs using principal "host/example.com", how does one figure out which service to contact? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
