Kerberos Feature Request

Frank Balluffi frank.balluffi at db.com
Thu Feb 12 09:03:43 EST 2004 

Daniel Kouril said:

"When I need to do some administrative task, I'll ask the authZ service 
for another certificate with admin privileges and pass it on to the end 
service (as part of the authentication process, possibly). I would like if 
this can be done without KDC. Does it make sense?"

Yes. draft-ietf-krb-wg-kerberos-clarifications-04.txt even describes this 
case:

"A separate service providing authorization or certifying group membership 
may be built using the authorization-data field. In this case, the entity 
granting authorization (not the authorized entity), may obtain a ticket in 
its own name (e.g. the ticket is issued in the name of a privilege 
server), and this entity adds restrictions on its own authority and 
delegates the restricted authority through a proxy to the client. The 
client would then present this authorization credential to the application 
server separately from the authentication exchange."

I originally thought you were describing a client telling a server what 
privileges it has, not what privileges it needs. So, I agree.

Frank





Daniel Kouril <kouril at ics.muni.cz>
Sent by: krbdev-bounces at mit.edu
02/12/2004 05:17 AM

 
        To:     Frank Balluffi/NewYork/DBNA/DeuBa at DBNA
        cc:     krbdev at mit.edu, Sam Hartman <hartmans at mit.edu>, "Henry B. Hotz" 
<hotz at jpl.nasa.gov>, Byrne <Dj.Byrne at jpl.nasa.gov>
        Subject:        Re: Kerberos Feature Request


On Wed, Feb 11, 2004 at 01:02:50PM -0500, Frank Balluffi wrote:
> Daniel,
> 
> Regarding passing authorization data in an AS-REQ, the Microsoft KDC 
> allows a client to specify whether to put PAC data in a ticket or not 
(see 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp). 
> I am not convinced it is a good idea for a client to specify its 
> authorization data. Might such a mechanism allow a user to increase its 
> privileges?

Frank,
who else than the client knows what exact privileges she currently needs? 
I
can imagine a situation where I have an separate (for example) role-based
authZ service which issues "certificates" stating that I'm an common user.
These authz certificates I use most of time (and pass it to the services 
who
can process such certificates). When I need to do some administrative 
task,
I'll ask the authZ service for another certificate with admin privileges 
and
pass it on to the end service (as part of the authentication process,
possibly). I would like if this can be done without KDC. Does it make 
sense?

--
Daniel
_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list