On 08/18/2017 08:35 AM, Stefan Metzmacher wrote: > While thinking about this I can't see any value in checking the > transited list of the ticket. As that list is always under the > control of the KDC that issued the ticket. And the service > trusts it's own KDC anyway, as well as any KDC in the trust > chain trusts the next hop. The only reason for this list > might be debugging.
I'm not sure about "any KDC in the trust chain trusts the next hop." RFC 4120 doesn't think about cross-realm relationships in terms of trust. Simply having cross-realm keys with another realm doesn't necessarily imply that the other realm is trustworthy. > Is there any reason to keep the krb5_check_transited() (in Heimdal) > and krb5_check_transited_list() (in MIT) is their current form? Well, it's mandatory in RFC 4120 section 2.7: Application servers MUST either do the transited-realm checks themselves or reject cross-realm tickets without TRANSITED-POLICY-CHECKED set. It would be okay to skip this check on application servers if the ticket has the TRANSITED-POLICY-CHECKED flag. Heimdal appears to do this but MIT krb5 does not; I'm not sure why as that behavior dates to before my time.