lukeh at padl.com
Fri Aug 21 12:53:11 EDT 2009
> But where would the host's credentials go? Sure, you could use
If the acceptor and impersonate credentials are the same thing (which,
for constrained delegation in the Kerberos world, they must be), then
a single acceptor credential handle with GSS_C_BOTH would work:
gss_accept_sec_context() could then return a credentials handle
containing both the verifier's initiator credentials and the evidence
ticket (ie. from the initiator to the acceptor).
(gss_acquire_cred_impersonate_cred() does just this.)
Anyway, I'm fine with the existing design :-)
> - One could imagine alternative ways to design S4U2PROXY for
> Kerberos where the proxy gets a TGT to impersonate the subject,
> but the TGT carries authz-data that constrains what service
> principals it can be used to get service tickets for.
Ah yes, that would be interesting too!
More information about the krbdev