Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: gss_acquire_cred_with_password() ignores expired creds
X-RT-Original-Encoding: iso-8859-1
Content-Length: 830

When Luke originally implemented gss_acquire_cred_with_password(), he 
had it use a memory ccache and not cache the resulting ticket.  I 
didn't like the performance implications of that and changed it to 
use the default cache.  I also made it not get tickets if the default 
cache already contains creds.  This has some unfortunate 
implications.

At a minimum, gss_acquire_cred_with_password() needs to get new creds 
if the current cache's creds are expired or close to expiring 
(perhaps "more than halfway").

Another option is for gss_acquire_cred_with_password() to always get 
new creds, and document that applications should first call 
gss_acquire_cred() with just the name to see if there is a suitable 
cred present.

It may be worth checking on Heimdal's behavior to make sure that we 
aren't gratuitously divergent.