PROXY tickets and GSSAPI

[Wyllys Ingersoll]

So, the benefit of PROXY tickets as opposed to a more general FORWARDABLE
ticket is that the PROXY ticket may only be used from the addresses 
specified
in the ticket, correct?  Is an addressless PROXY ticket equivalent to a 
FORWARDABLE
ticket?

Is there a way to actually specify a service or list of services that 
the server may
act as a proxy for ?   Example, you only want the PROXY server to use your
creds to access "print" services on some server but not other kerberized 
services?

-Wyllys

Jen Selby wrote:
>>Also, its unclear to me how the PROXY flag (not the PROXIABLE flag)
>>ever gets set.  I'm assuming that the server who is acting on behalf
>>of the client is supposed to set this when it receives a PROXIABLE
>>cred that is is going to use.
> 
> 
> If the KDC gets a request with the PROXY flag set and the requestor
> has PROXIABLE tickets, then the KDC will set the PROXY flag in the
> tickets which it provides in response to the request.
> 
> 
>>I'm speculating also that the service that the proxy is actually
>>talking to must check for the PROXY flag and verify the address fields
>>before allowing the request to be processed.
> 
> 
> If an application wishes not to accept PROXY tickets, then it could
> check the PROXY flag and disallow tickets that have it set.  It is
> certainly not required to check for this, and can treat the PROXY
> tickets like any other tickets in terms of whether or not it accepts
> them.
> 
> Jen