capaths questions

[Sam Hartman]

>>>>> "Will" == Will Fiveash <william.fiveash at sun.com> writes:

    Will> I would think that the destination kdc should be able to
    Will> enforce a trusted path policy globally for the realm it
    Will> serves and not issue tickets for those requests that don't
    Will> conform to that policy.  Of course an application server
    Will> should have the option to do it's own checking in the
    Will> circumstance that it's policy is more strict than the kdc's.

The problem with this approach is that it makes it hard for people to
have trust relationships the KDC does not know about.  Certainly you
should have to do explicit configuration to accept tickets that the
KDC has not approved.