capaths questions

Nicolas Williams Nicolas.Williams at
Tue May 18 12:47:04 EDT 2004

On Tue, May 18, 2004 at 11:40:21AM -0500, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> > 
> > It's actually quite simple since most folk will get by with a default
> > rule allowing for any transited path and those who don't will generally
> > have a few such rules.
> > 
> This is a big security hole if they accept any path, in effect that
> are not testing the transited path! 

I just followed that up with a clarification.

The matter of the default rule is is not as interesting as how to
specify the rules.

I find it rather cumbersome to have to translate real-world rules into
capaths specifications, unless there are, indeed, very few paths.

> The point is that they should only accept one (or a few) trusted paths. 

Which brings us back to how to specify trusted paths.


More information about the krbdev mailing list