Russ Allbery rra at
Fri Jul 18 22:40:45 EDT 2008

"Michael B Allen" <ioplex at> writes:

> Your choices are based on necessity, not trust. If the web application
> needs delegated credentials (e.g. to authenticate as the user with
> another tier), then you need to send the TGT [1].

Unless you use a system such as WebAuth or Cosign that supports limited
delegation, in which case you can send only exactly the credentials that
the web application needs.

> [1] Kerberos provides other ways to limit how the TGT can be used and to
> proxy service tickets and such but I don't think browsers have support
> for such things yet.

They don't so far as I know.  Delegation in all the current browsers is an
all-or-nothing affair.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list