The information used to authenticate principals in these systems are comprised in some form of a ticket or certificate. These tickets (also called credentials) contain ids, keys and other pieces of information that are used to provide identities. These tickets alone do not verify authentication. Accompanying these tickets is some form of an authenticator or verifier that, used in conjunction with the ticket, verifies the identity by providing a time reference of usage. Since tickets have distinct lifetimes, it is assumed that the user that has the credential and that is presenting that credential within the appropriate time-frame is the named user. Tickets expire to prevent pre or post-usage. A ticket that is compromised by an intruder can only be used by the intruder through the lifetime of the ticket (from the conclusion of the session or the expiration of the ticket). In these systems, the user can set the lifetime of a ticket up to a specified maximum. Tickets that provide authentication are usually created by a trusted principal. The format used to describe the contents of these tickets is as follows:
Properties that are beyond the scope of this paper and will not be discussed include: