Kerberos Feature Request
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Feb 13 10:40:47 EST 2004
>After being jumped on for mis-using the Microsoft term PAC when I
>meant the generic Kerberos term "authorization data" I went and
>RE-read the relevant sections of 1510 and the DRAFT clarifications
>(including the specific section of the latter that JA pointed at).
>As far as I can see there is nothing in them that addresses the KDC
>to (unspecified) authorization service interface that would be
>necessary in order for the KDC to acquire KDC-ISSUED authorization
>data.
Right, because that's outside of the Kerberos protocol.
>>Now, currently the authorization data is what you call "pretty
>>inaccessible". If you're speaking in terms of the GSSAPI, I would
>>agree. However, if you are using the MIT krb5 API, then I wouldn't
>>agree, because you can get access to the authorization data on
>>application servers via the MIT krb5 API (which is what you really
>>care about from an application server perspective). You can utilize
>>this API feature no matter who's KDC you are using.
>
>Doesn't the Kerberos FAQ recommend that you use GSSAPI in preference
>to the MIT API? ;-)
No, it doesn't, actually (speaking as the FAQ author). The strongest
word it might say in that regard is "consider", and you'll note that
text wasn't written by me.
--Ken
More information about the krbdev
mailing list