Wachdorf, Daniel R drwachd at sandia.gov
Wed Mar 8 15:56:06 EST 2006

Sandia currently has a working implementation of the OK_AS_DELEGATE flag
running on the MIT code base.  I would like to get this running on the
most current code base and submit a patch back to MIT.  

I doing this, I think the OK_AS_DELEGATE brings up a few questions worth

1- Should the clients have influence over this?  

Our implementation requires clients attempt delegation and the
OK_AS_DELEGATE flag be set on the service ticket in order for delegation
to occur.  This sits in the Kerberos code, so it applies to GSSAPI as

2- How should cross-realm delegation be handled?  

Do you want to trust the delegation flag from a cross realm service?
Also - not all Kerberos realms will support OK_AS_DELEGATE, so should
you be able to override this.  Should the flag only be relevant for the
local realm?

3- Should there be a configuration option to control the functionality?

Thanks in advance.


Daniel Wachdorf 
drwachd at sandia.gov 
Sandia National Laboratories 
Cyber Security Technologies 

More information about the krbdev mailing list