On Mon, 2007-10-15 at 15:36 -0500, Nicolas Williams wrote:
> That MIT supports a NONE rcache should be no excuse for Solaris
> supporting it too if any of the other options performs sufficiently
> well.
It's been a while since I glued kerberos into a protocol, but my
recollection is that it is possible to do so (by including nonces or
channel-binding-like things into the authenticator) in a way that
renders the replay cache unnecessary. Any work done to manage a replay
cache for such an application would be 100% wasted.
- Bill
