On Wed, Feb 19, 2014 at 11:41 PM, Daniel Kahn Gillmor <[email protected]> wrote: > This arrangement seems to suggest that the delegation constraint is > something that will be managed for all principals by the KDC explicitly, > rather than the end user being able to decide (or even know?) what > explicit delegations are being offered. Am i understanding this right?
That's exactly right. > Is there any mechanism for user-controllable delegation? (or perhaps > more fundamentally, does this question even make sense, given the power > held by the KDC already?) The question very much makes sense. The original Kerberos design required that the applications have the final say on policy as to, e.g., cross-realm transit path policy and authorization in general. KDCs get to reject things (e.g., if there's no cross-realm trust relationship they must reject), and they get to indicate approval (e.g., TRANSIT-POLICY-CHECKED), but in principle they leave policy to the service application. I missed the cut-off for -00 Internet-Drafts for IETF89, so the following is as-yet not submitted, but it will be submitted soon, and its goal is to address this problem: https://raw.github.com/nicowilliams/kitten/master/gss-authzid.txt Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
