Fwd: Delegation and Moonshot
Tom Yu
tlyu at MIT.EDU
Wed Apr 6 15:42:16 EDT 2011
Nico Williams <nico at cryptonector.com> writes:
> On Tue, Apr 5, 2011 at 1:44 PM, <g.w at hurderos.org> wrote:
>> Very interesting work but I need to catch up a bit. I assume we as a
>> community are no longer shouting down the thought of kerberos ticket
>> mediated transmission of authorization information as the incarnation
>> of evil....? :-)
>>
>> That seemed to be the case 8 years ago or so when we were working on
>> the problem of identity linked service authorization assertions.
>
> Perhaps what you remember is Slashdot. The Kerberos community as I
> joined it in 2001 didn't mind the use of Kerberos authz-data at all,
> and I suspect it didn't mind it in 2000 either.
The specific situation where people disagreed with the original
Microsoft Windows PAC (for "Windows NT 5" as some people referred to
it back then) requires a large amount of context to understand, which
I won't try to convey here even if I believed I knew all the relevant
factors. I'll just say the objections were to the specifics, rather
than to the idea of carrying of authorization information in tickets
(which RFC 1510 had a designated place for, after all).
As originally envisioned, authorization data in a Kerberos ticket
would be used to convey restrictions that the services should apply to
the privileges that principal would normally have. (Thus, a ticket
with authorization data that a service does not understand must be
refused by the service.) As I recall, the community eventually
decided that it was OK to have authorization data that enhanced
privileges, provided that they were in an "if-relevant" container, for
example.
More information about the krbdev
mailing list