william.fiveash at sun.com
Mon May 17 18:27:15 EDT 2004
On Mon, May 17, 2004 at 04:56:58PM -0400, Sam Hartman wrote:
> >>>>> "Derek" == Derek Atkins <warlord at MIT.EDU> writes:
> Derek> True, but the destination KDC does get to enforce it (as
> Derek> you suggest later).
> And should not do so. The destination kdc should leave the policy
> checked flag clear and the application server should reject.
I would think that the destination kdc should be able to enforce a
trusted path policy globally for the realm it serves and not issue
tickets for those requests that don't conform to that policy. Of course
an application server should have the option to do it's own checking in
the circumstance that it's policy is more strict than the kdc's.
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev