OK-AS-DELEGATE FLAG setting.

[Sam Hartman]

>>>>> "Nebergall," == Nebergall, Christopher <cneberg at sandia.gov> writes:

    >>> Unless things have changed in the last 6 months or so, neither
    >>> Firefox, nor Safari pay any attention to the flag.  Only IE,
    >>> AFAIK.
    Nebergall,> The problem is that there is no way of doing it only
    Nebergall,> using GSSAPI calls. If there were, it would be no
    Nebergall,> problem to add to Firefox.  For example the SSPI in
    Nebergall,> windows takes care of it transparently.  So if you are
    Nebergall,> using Firefox on windows using the SSPI just configure
    Nebergall,> Firefox to delegate to everything, and the SSPI will
    Nebergall,> restrict it automatically.

    Nebergall,> This discussion came up a while back.
    Nebergall,> http://mailman.mit.edu/pipermail/krbdev/2006-March/004180.html

I think that we have Sandia's patch sitting in our bug database.
If we don't I definitely have it in my email.

I think that MIT Kerberos would be improved by taking the kadmin and kdc parts of that patch (or the similar Redhat patch).

Long term I think that adding OK-AS-Delegate support to libkrb5 and
(although it is harder) gssapi would be a good idea.
I believe the discussion you point to describes all the issues.