Kerberos Feature Request

[Ken Hornstein]

>After being jumped on for mis-using the Microsoft term PAC when I 
>meant the generic Kerberos term "authorization data" I went and 
>RE-read the relevant sections of 1510 and the DRAFT clarifications 
>(including the specific section of the latter that JA pointed at). 
>As far as I can see there is nothing in them that addresses the KDC 
>to (unspecified) authorization service interface that would be 
>necessary in order for the KDC to acquire KDC-ISSUED authorization 
>data.

Right, because that's outside of the Kerberos protocol.

>>Now, currently the authorization data is what you call "pretty
>>inaccessible".  If you're speaking in terms of the GSSAPI, I would
>>agree.  However, if you are using the MIT krb5 API, then I wouldn't
>>agree, because you can get access to the authorization data on
>>application servers via the MIT krb5 API (which is what you really
>>care about from an application server perspective).  You can utilize
>>this API feature no matter who's KDC you are using.
>
>Doesn't the Kerberos FAQ recommend that you use GSSAPI in preference 
>to the MIT API?  ;-)

No, it doesn't, actually (speaking as the FAQ author).  The strongest
word it might say in that regard is "consider", and you'll note that
text wasn't written by me.

--Ken