Nicolas.Williams at sun.com
Tue May 18 12:47:04 EDT 2004
On Tue, May 18, 2004 at 11:40:21AM -0500, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> > It's actually quite simple since most folk will get by with a default
> > rule allowing for any transited path and those who don't will generally
> > have a few such rules.
> This is a big security hole if they accept any path, in effect that
> are not testing the transited path!
I just followed that up with a clarification.
The matter of the default rule is is not as interesting as how to
specify the rules.
I find it rather cumbersome to have to translate real-world rules into
capaths specifications, unless there are, indeed, very few paths.
> The point is that they should only accept one (or a few) trusted paths.
Which brings us back to how to specify trusted paths.
More information about the krbdev