On Thu, 28 Oct 2021 21:49:54 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> > > * The FORWARDABLE check removed is the one in S4U2Self. Apparently, for > > S4U2Proxy with non-S4U2Self second-tickets there were no checks. Now we > > check at S4U2Proxy level (for all 'second' tickets, S4U2Self and > > non-S4U2Self ones). Is that okay? Or do we need to be more specific and > > check for S4U2Self second-tickets only (in a S4U2Proxy communication)? > > That's what I asked you about a more precise way to ensure a cred is a > S4U2self one. I thought about stuff the `S4U2Type` value as a "type" field > into the credentials returned by `serviceCreds()` but it looks a little ugly. > This would be tricky. The problem is that the 'cname' and 'crealm' in the S4U2Self ticket are the user's ones; so indistinguishable from the non-S4U2Self. The 'sname' and 'srealm' are also equal: the middle service principal. I'm not sure if there are any differences in the PAC. Even when it's a bit 'ugly', storing the 'type' looks like a reliable scheme in my opinion. But the question that concerns me most is if we really want to make such a tight check, or we are willing to forward everything. I'd suggest to keep your proposal as it is now in this regard. Meanwhile, I'll check what the MIT client does and let you know if there is anything that we to consider. ------------- PR: https://git.openjdk.java.net/jdk/pull/6082
