> I've got a really dumb question: why aren't tickets > treated as public information? They're clearly snoopable > on the wire, so confidentiality shouldn't be assumed. > To my mind tickets are analogous to x.509 certs which > are, essentially, public information; the private/secret > key is what's important to keep secret.
Tickets != credentials (he was talking about the credential cache). Included in the credential cache is the session key for the ticket, which is the information you really need to keep secret. Tickets aren't long-lived and aren't very much use without the session key, so they're generally treated as one unit. --Ken
