Kerberos Feature Request
Daniel Kouril
kouril at ics.muni.cz
Wed Feb 11 11:38:08 EST 2004
Henry B. Hotz wrote:
> I'm not sure if we're on the same wavelength or not. Let me try again:
>
> I think there should be a standard way to fill in PAC data from outside
> the KDC.
I'm not sure if I'm not missing something but could you tell me why KDC
should do that? If I'm not mistaken, the user can put into the AS-REQ
message any authorization data she wants and the KDC just copy them to
the ticket, am I right? If so, then the client can propagate to the
ticket all authorization data she needs without any intervention of KDC.
I think this is very useful solution in a world of multiple
authorization mechanisms, which can use very different formats of
representations of the authorization attributes. It also allows users to
build authorization data according their current needs.
cheers,
--
Daniel
More information about the krbdev
mailing list