capaths questions

[Sam Hartman]

>>>>> "Will" == Will Fiveash <william.fiveash at sun.com> writes:

    Will> While transited path checking may be in the realm of authz,
    Will> my point about allowing the kdc to enforce a transited path
    Will> policy for a realm is that this allows the kdc admin to
    Will> control this policy in one place (the kdc) instead of on
    Will> each app. server.  The ability to manage this policy
    Will> centrally by kdc admins that may have a better understanding
    Will> of the trust issues should provide better security than
    Will> having to manage the policy distributed across different
    Will> app. servers.

My experience suggests that app server administrators are often aware
of trust paths that exist that KDC admins don't know about or are
unwilling to trust globally.  You tend to get most of the benefits of
central admins by having a default allow policy on the KDC (with the
tp-checked bit) and a default-deny policy on the application servers.


There are a large class of problems for which you want to have central
configuration but have an ability for exceptions to be defined at the
edges.