william.fiveash at sun.com
Tue May 18 12:52:14 EDT 2004
On Tue, May 18, 2004 at 11:45:47AM -0400, Sam Hartman wrote:
> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> Douglas> But the policy of the KDC does not have to reject every
> Douglas> request, it may only reject requests involving selective
> Douglas> services or selective realms, or even selective users.
> I do agree you can do this. I also suspect our KDC will retain the
> feature although the default mode will change.
> But this gets in to an area best described as authorization rather
> than authentication. Traditionally the Kerberos community believes
> that authorization decisions should in general be left to applications.
While transited path checking may be in the realm of authz, my point
about allowing the kdc to enforce a transited path policy for a realm is
that this allows the kdc admin to control this policy in one place (the
kdc) instead of on each app. server. The ability to manage this policy
centrally by kdc admins that may have a better understanding of the
trust issues should provide better security than having to manage the
policy distributed across different app. servers.
Note, I'm not stating that the app. server should not be allowed to do
it's own policy enforcement. I'm just saying that, pragmatically, it's
good to manage policy centrally and the kdc seems like the place for
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev