ACL for Constrained Delegation?
Nico Williams
nico at cryptonector.com
Thu Feb 20 14:00:38 EST 2014
On Wed, Feb 19, 2014 at 11:41 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> This arrangement seems to suggest that the delegation constraint is
> something that will be managed for all principals by the KDC explicitly,
> rather than the end user being able to decide (or even know?) what
> explicit delegations are being offered. Am i understanding this right?
That's exactly right.
> Is there any mechanism for user-controllable delegation? (or perhaps
> more fundamentally, does this question even make sense, given the power
> held by the KDC already?)
The question very much makes sense. The original Kerberos design
required that the applications have the final say on policy as to,
e.g., cross-realm transit path policy and authorization in general.
KDCs get to reject things (e.g., if there's no cross-realm trust
relationship they must reject), and they get to indicate approval
(e.g., TRANSIT-POLICY-CHECKED), but in principle they leave policy to
the service application.
I missed the cut-off for -00 Internet-Drafts for IETF89, so the
following is as-yet not submitted, but it will be submitted soon, and
its goal is to address this problem:
https://raw.github.com/nicowilliams/kitten/master/gss-authzid.txt
Nico
--
More information about the Kerberos
mailing list