[kitten] Verified authorization data
Peter Mogensen
apm at one.com
Thu Jun 12 08:55:29 EDT 2014
On 2014-06-12 14:47, Simo Sorce wrote:
> On Thu, 2014-06-12 at 09:12 +0200, Peter Mogensen wrote:
>> Sure... any solution to the S4U2proxy use case would require protecting
>> the ticket and attached authdata, which the KDC has to trust against
>> service tampering.
>
> Sorry, no, the binding to the specific ticket is not a requirement for
> s4u2proxy. The only requirement there is the KDC MAC which could be done
> the same way as the SVC MAC.
Doesn't that depend on what any authdata plugin at the KDC might need to
do with any authdata in the evidence ticket when processing the
S4U2proxy TGS?
Such authdata in the evidence ticket could be something which the KDC
would be in a position to verify in the principal database and issue a
fresh copy.
But it could also be that the KDC had to trust the authdata in the
evidence ticket at copy that information into the issued ticket.
In that case, you would need to protect against a service inserting
authdata from another ticket into the evidence ticket.
/Peter
More information about the krbdev
mailing list