PROXY tickets and GSSAPI

Douglas E. Engert deengert at
Wed Jun 26 17:57:00 EDT 2002

Ken Hornstein wrote:
> >    You are correct, I'm a bit confused about the diffs between proxy tix
> >and forwarded tix.    I understand that the proxy tickets are service
> >tickets
> >and the forwarded tix are TGTs.  Im trying to get my hands around the
> >problem of actually sending a useable service ticket (with the proxy flag
> >set) to a GSSAPI service.     I know that the TGT will be forwarded in the
> >gss_init_sec_context call when the delegation flag is set, but how would one
> >send the service ticket with the proxy flag - is this where the OOB exchange
> >between the client and proxy server comes into play?
> It's my gut feeling that, when it all boils down to everything at the end
> of the day, proxiable tickets have no real use.  Especially in our NATted
> world today.  Note that I'm probably in the minority on this one, and if you
> can prove me wrong, more power to you :-)

I thought the proxy ticket is for a service, so client could send only selected 
proxies to a server, rather then having to send a full TGT. Foe example send
an afs/cell at realm ticket to server, to it can access AFS in a specific cell, 
but nothing else.

The problem is the GSSPAI only has a single delegte flag, which is used 
for delegting a TGT. which is also forwardable.  

The GSSAPi extensions we are proposing at the GGF next month might address
this problem, by allowing more input to the GSS delegtion process, including
delegation at any time.

> --Ken
> _______________________________________________
> krbdev mailing list             krbdev at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list