Comment 17 for bug 1287301
Revision history for this message
| David Chadwick (d-w-chadwick) wrote | #17 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
can I make a few assertions that might help in these deliberations.
1. If you dont cache tokens you dont need revocation lists. You get a fresh token each time.
2. There is no point in having a revocation cache time longer than a token cache time, because once a token cache time expires a new token has to be obtained. So if the token has been revoked you wont learn about it.
3. There is no point in having a revocation cache time equal to a token cache time because they will both expire at the same time, so even if the token has been revoked you still wont learn about it (until you get the next revocation list).
4. So the only sensible solution is to have a token cache time significantly longer than the revocation cache time (I would say at least twice as long, since the probability that a token has been revoked in the second half of its life is 50%. Using longer revocation times you decrease the probability that you will learn about the revocation.
5. If you have short token cache times, you probably dont need revocation lists.