>>>>> "Nico" == Nico Williams <[email protected]> writes:
Nico> Oh, your main concern is not protocol transition for the
Nico> initiator (though that'd be nice, no?) but protocol transition
Nico> for the acceptor. But the acceptor doesn't need a TGT for
Nico> this. Just an INITIAL service ticket will do (initial
Nico> because, without a TGT for the user, what else can the service
Nico> do but use a pre-auth that somehow produces an AP-REP with a
Nico> reply key it can handle, with the KDC disallowing access to
Nico> anything other than a service ticket with the acceptor as the
Nico> target?).
Right.
The service doesn't need a TGT.
I was hoping for a mechanism such that
* a TGT is generated if the initiator can take it
* A service ticket is generated all the time
* The service never knows the TGT key
* The service always knows the context key
* The initiator need not know about the service ticket side of the
business.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
