Kerberos Feature Request

Daniel Kouril kouril at
Thu Feb 12 05:01:32 EST 2004

On Wed, Feb 11, 2004 at 12:49:37PM -0500, Derek Atkins wrote:
> > I'm not sure if I'm not missing something but could you tell me why
> > KDC should do that? If I'm not mistaken, the user can put into the
> > AS-REQ message any authorization data she wants and the KDC just copy
> > them to the ticket, am I right? If so, then the client can propagate
> > to the ticket all authorization data she needs without any
> > intervention of KDC. I think this is very useful solution in a world
> > of multiple authorization mechanisms, which can use very different
> > formats of representations of the authorization attributes. It also
> > allows users to build authorization data according their current needs.
> Cool, I can assert "this user is god and should have full access to
> all services" into the PAC data and the KDC will just pass it along..

What's wrong here? I don't think that any reasnable end application would
accept such an assesrtion (which is not certified by an AuthZ service)

> Seriously, there needs to be an "Authorization Service" (AuthN) that
> sits along-side the "Authentication Service" (AuthZ).  I'm not saying
> whether or not these services are combined or separate, but the AuthZ
> service needs to be just as secure as the AuthN service.  You can't
> just ask the user to present the AuthZ data to the KDC to be signed.

I don't want the AuthZ data to be signed by the KDC. I think the KDC should
just passed on the data, which is already "signed" by an independent AuthZ
service (e.g. in the form of an attribute certificate) and sent to the KDC
by the client. I don't like mixing of AuthN and AuthZ mechs, you can't
expect your KDC will know every AuthZ services used by the user.


More information about the krbdev mailing list