OK-AS-DELEGATE FLAG setting.

[Sam Hartman]

>>>>> "Paul" == Paul Moore <paul.moore at centrify.com> writes:

    Paul> The GSS layer should enforce the obedience of this flag. In
    Paul> the current MIT gss code it does not. This is very bad (we
    Paul> have reported this before). The KDC has set a flag saying
    Paul> 'don't forward this' and yet the MIT client code forwards it
    Paul> anyway. We offered a fix (we have it in place already) but
    Paul> were told 'no thanks'. I suspect that the reason the client
    Paul> side code ignores it is because the MIT KDC never sets it
    Paul> and so nobody in MIT has paid much attention to it. MS AD
    Paul> KDC uses it all the time. In fact AD's default mode is to
    Paul> set 'do not forward '

No. The problem is more complicated.  Basically the client should
implement the client's security policy.  One valid security policy is
delegate my decisions about trusted services to the KDC.  Under this
security policy, trusting the flag is a good idea.  Other valid
security policies exist, including ones that trust more or fewer
services.

Today, the code makes it very clear that the policy is entirely in the
hands of the client.  This is not ideal; we'd like to support the
delegate-to-kdc policy However we need to find a way to do that
without dropping policies that work today.  In the krb5 API it's
fairly obvious to see ways of extending it.  For GSS, it is harder to
see what you want to do.