Kerberos Feature Request
frank.balluffi at db.com
Thu Feb 12 09:03:43 EST 2004
Daniel Kouril said:
"When I need to do some administrative task, I'll ask the authZ service
for another certificate with admin privileges and pass it on to the end
service (as part of the authentication process, possibly). I would like if
this can be done without KDC. Does it make sense?"
Yes. draft-ietf-krb-wg-kerberos-clarifications-04.txt even describes this
"A separate service providing authorization or certifying group membership
may be built using the authorization-data field. In this case, the entity
granting authorization (not the authorized entity), may obtain a ticket in
its own name (e.g. the ticket is issued in the name of a privilege
server), and this entity adds restrictions on its own authority and
delegates the restricted authority through a proxy to the client. The
client would then present this authorization credential to the application
server separately from the authentication exchange."
I originally thought you were describing a client telling a server what
privileges it has, not what privileges it needs. So, I agree.
Daniel Kouril <kouril at ics.muni.cz>
Sent by: krbdev-bounces at mit.edu
02/12/2004 05:17 AM
To: Frank Balluffi/NewYork/DBNA/DeuBa at DBNA
cc: krbdev at mit.edu, Sam Hartman <hartmans at mit.edu>, "Henry B. Hotz"
<hotz at jpl.nasa.gov>, Byrne <Dj.Byrne at jpl.nasa.gov>
Subject: Re: Kerberos Feature Request
On Wed, Feb 11, 2004 at 01:02:50PM -0500, Frank Balluffi wrote:
> Regarding passing authorization data in an AS-REQ, the Microsoft KDC
> allows a client to specify whether to put PAC data in a ticket or not
> I am not convinced it is a good idea for a client to specify its
> authorization data. Might such a mechanism allow a user to increase its
who else than the client knows what exact privileges she currently needs?
can imagine a situation where I have an separate (for example) role-based
authZ service which issues "certificates" stating that I'm an common user.
These authz certificates I use most of time (and pass it to the services
can process such certificates). When I need to do some administrative
I'll ask the authZ service for another certificate with admin privileges
pass it on to the end service (as part of the authentication process,
possibly). I would like if this can be done without KDC. Does it make
krbdev mailing list krbdev at mit.edu
More information about the krbdev