capaths questions

[Sam Hartman]

>>>>> "Derek" == Derek Atkins <warlord at MIT.EDU> writes:

    Derek> True, but the destination KDC does get to enforce it (as
    Derek> you suggest later).

And should not do so.  The destination kdc should leave the policy
checked flag clear and the application server should reject.

I realize our code does not currently do this.  That's because of a
bug in previous versions of our code.  The 1.4 code base should be more liberal at the KDC layer.