Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

2017-08-21 Thread Greg Hudson
On 08/18/2017 08:35 AM, Stefan Metzmacher wrote: > While thinking about this I can't see any value in checking the > transited list of the ticket. As that list is always under the > control of the KDC that issued the ticket. And the service > trusts it's own KDC anyway, as well as any KDC in the

Tangent from: [kitten] Checking the transited list . . .

2017-08-21 Thread Henry B (Hank) Hotz, CISSP
> On Aug 21, 2017, at 7:05 AM, Greg Hudson wrote: > > I'm not sure about "any KDC in the trust chain trusts the next hop." > RFC 4120 doesn't think about cross-realm relationships in terms of > trust. Simply having cross-realm keys with another realm doesn't > necessarily