OK-AS-DELEGATE Flag
Wachdorf, Daniel R
drwachd at sandia.gov
Wed Mar 8 15:56:06 EST 2006
Sandia currently has a working implementation of the OK_AS_DELEGATE flag
running on the MIT code base. I would like to get this running on the
most current code base and submit a patch back to MIT.
I doing this, I think the OK_AS_DELEGATE brings up a few questions worth
discussing:
1- Should the clients have influence over this?
Our implementation requires clients attempt delegation and the
OK_AS_DELEGATE flag be set on the service ticket in order for delegation
to occur. This sits in the Kerberos code, so it applies to GSSAPI as
well.
2- How should cross-realm delegation be handled?
Do you want to trust the delegation flag from a cross realm service?
Also - not all Kerberos realms will support OK_AS_DELEGATE, so should
you be able to override this. Should the flag only be relevant for the
local realm?
3- Should there be a configuration option to control the functionality?
Thanks in advance.
-dan
--------------------------------------
Daniel Wachdorf
drwachd at sandia.gov
Sandia National Laboratories
Cyber Security Technologies
505-284-8060
More information about the krbdev
mailing list