capaths questions
Sam Hartman
hartmans at MIT.EDU
Mon May 17 19:12:13 EDT 2004
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> On Mon, May 17, 2004 at 05:24:46PM -0500, Matt Crawford
Nicolas> wrote:
>>
>> On May 17, 2004, at 15:56, Sam Hartman wrote:
>>
>> > Derek> True, but the destination KDC does get to enforce it
>> (as > Derek> you suggest later).
>> >
>> >And should not do so. The destination kdc should leave the
>> policy >checked flag clear and the application server should
>> reject.
>>
>> I've been following the thread quietly until this point, but
>> now I have to disagree. I want to be able to have my FNAL.GOV
>> deny the service ticket if I choose to, or leave it up to the
>> service to deny access.
I think it is almost always wrong for a KDC to deny transit policy. I
think it is almost always wrong for an application server to accept a
ticket without the transit policy checked flag.
More information about the krbdev
mailing list