Kerberos Feature Request

Daniel Kouril kouril at
Wed Feb 11 11:38:08 EST 2004

Henry B. Hotz wrote:
> I'm not sure if we're on the same wavelength or not.  Let me try again:
> I think there should be a standard way to fill in PAC data from outside 
> the KDC.

I'm not sure if I'm not missing something but could you tell me why KDC 
should do that? If I'm not mistaken, the user can put into the AS-REQ 
message any authorization data she wants and the KDC just copy them to 
the ticket, am I right? If so, then the client can propagate to the 
ticket all authorization data she needs without any intervention of KDC. 
I think this is very useful solution in a world of multiple 
authorization mechanisms, which can use very different formats of 
representations of the authorization attributes. It also allows users to 
build authorization data according their current needs.



More information about the krbdev mailing list