Oh, your main concern is not protocol transition for the initiator (though that'd be nice, no?) but protocol transition for the acceptor. But the acceptor doesn't need a TGT for this. Just an INITIAL service ticket will do (initial because, without a TGT for the user, what else can the service do but use a pre-auth that somehow produces an AP-REP with a reply key it can handle, with the KDC disallowing access to anything other than a service ticket with the acceptor as the target?).
Nico -- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
