Services4User review

[Luke Howard]

> But where would the host's credentials go?  Sure, you could use

<hypothetical>
If the acceptor and impersonate credentials are the same thing (which,  
for constrained delegation in the Kerberos world, they must be), then  
a single acceptor credential handle with GSS_C_BOTH would work:

gss_accept_sec_context() could then return a credentials handle  
containing both the verifier's initiator credentials and the evidence  
ticket (ie. from the initiator to the acceptor).  
(gss_acquire_cred_impersonate_cred() does just this.)
</hypothetical>

Anyway, I'm fine with the existing design :-)

>    - One could imagine alternative ways to design S4U2PROXY for
>      Kerberos where the proxy gets a TGT to impersonate the subject,
>      but the TGT carries authz-data that constrains what service
>      principals it can be used to get service tickets for.

Ah yes, that would be interesting too!

-- Luke