>>>>> "Rafa" == Rafa Marin Lopez <[email protected]> writes:
Rafa> Hi Sam:
>>
>> May we assume that TGT will be involved in a Kerberos exchange
>> later on?. I mean I think that TGT will have to be provided to
>> the initiator somehow ( within GSS-EAP exchange? )
>>
>> I assume that initiator will have some Kerberos source code
>> implemented to handle the TGT and to request service
>> tickets. Otherwise, having a TGT is useless as you mention.
>>
>> I don't think these are reasonable assumptions.
Rafa> Well, if we send a TGT or ST to the initiator, it would seem
Rafa> reasonable to me that initiator knows how to handle it. But
Rafa> maybe it is not reasonable.
I agree that if the initiator is going to use a TGT or ST then it's fine
to assume it has code to deal with one. I think we may send a TGT or ST
to the initiator without being aware it can handle them; we could also
perform capability negotiation and confirm that the initiator can deal
with a TGT or ST before sending it. The capability option is desirable
if we want a different protocol.
In the case of the TGT there is no particular reason to generate a TGT
unless the initiator has Kerberos and can consume it.
In the case of the ST, it is often very useful to generate the ST and
hand the ST to the RP even if the initiator will never see the ST and
wouldn't know what to do with an ST if it had one.
Talking through this with Josh ye.yesterday I've realized I am making
lots of assumptions about model and use that I have documented no-where.
If you can wait a couple of days I'll write up my model and what I've
learned of the constraint space.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
