capaths questions

Sam Hartman hartmans at MIT.EDU
Mon May 17 19:12:13 EDT 2004

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:

    Nicolas> On Mon, May 17, 2004 at 05:24:46PM -0500, Matt Crawford
    Nicolas> wrote:
    >> On May 17, 2004, at 15:56, Sam Hartman wrote:
    >> > Derek> True, but the destination KDC does get to enforce it
    >> (as > Derek> you suggest later).
    >> >
    >> >And should not do so.  The destination kdc should leave the
    >> policy >checked flag clear and the application server should
    >> reject.
    >> I've been following the thread quietly until this point, but
    >> now I have to disagree.  I want to be able to have my FNAL.GOV
    >> deny the service ticket if I choose to, or leave it up to the
    >> service to deny access.

I think it is almost always wrong for a KDC to deny transit policy.  I
think it is almost always wrong for an application server to accept a
ticket without the transit policy checked flag.

More information about the krbdev mailing list