|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Russ Allbery <eagle@eyrie.org> To: Simo Sorce <simo@redhat.com> In-Reply-To: <20141107105007.01b46f47@willson.usersys.redhat.com> (Simo Sorce's message of "Fri, 7 Nov 2014 10:50:07 -0500") Date: Fri, 07 Nov 2014 11:19:02 -0800 Message-ID: <87vbmq6cpl.fsf@hope.eyrie.org> MIME-Version: 1.0 Cc: "kerberos@mit.edu" <kerberos@mit.edu> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu Simo Sorce <simo@redhat.com> writes: > It is a very nice to have, but, it would be really nice if you did not > use unbounded delegation (ie send the whole TGT) but ratherr allow to > either just send a ticket (set of tickets) for whatever action may be > neded, and/or support constrained delegation on the receiving end > (s4u2proxy). s4u2proxy feels like the right tool to me. I don't like the idea of unconstrained delegation, and constrained delegation where the client sends a specific ticket requires the client know what ticket to send. -- Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |