[krbdev.mit.edu #5596] patch for providing a way to set the ok-as-delegate flag
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Wed Jul 18 17:19:03 EDT 2007
I think it would be inappropriate to change the behavior for existing
applications with regard to the ok-as-delegate flag.
Allowing the realm to override and prevent delegation would violate
the software engineering principle of designing for your user.
However adding a new mechanism in the krb5 library and in the GSS-API
so that an application can say "Please delegate if the local realm
thinks it is a good idea," is a reasonable goal. It would require a
new GSS flag and new APIs at the krb5 layer.
More information about the krb5-bugs
mailing list