hartmans at MIT.EDU
Mon May 17 19:15:50 EDT 2004
>>>>> "Will" == Will Fiveash <william.fiveash at sun.com> writes:
Will> I would think that the destination kdc should be able to
Will> enforce a trusted path policy globally for the realm it
Will> serves and not issue tickets for those requests that don't
Will> conform to that policy. Of course an application server
Will> should have the option to do it's own checking in the
Will> circumstance that it's policy is more strict than the kdc's.
The problem with this approach is that it makes it hard for people to
have trust relationships the KDC does not know about. Certainly you
should have to do explicit configuration to accept tickets that the
KDC has not approved.
More information about the krbdev