[472] in Kerberos_Protocol

home help back first fref pref prev next nref lref last post

Re: Ticket extensions in Kerberos revisions

daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed May 3 19:23:32 2000

Date: Wed, 3 May 2000 14:43:33 -0400
From: Nicolas Williams <willian@ubsw.com>
To: ietf-cat-wg@lists.Stanford.EDU, krb-protocol@MIT.EDU
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Message-Id: <20000503144331.X1094@sm2p1386swk.wdr.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <200005031818.OAA25955@ginger.cmf.nrl.navy.mil>


On Wed, 03 May 2000, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> >At the risk of repeating myself :) there is one more alternative:
> >include a token that in the ticket that the target service can use to
> >perform the user login info lookup. This way clients need no changes and
> >yet there is no need to include users' complete system profile in the
> >tickets.
> 
> This token already exists - it's called "the client principal".  You
> shouldn't need anything else.
> 
> --Ken

For that to be enough you must allow all servers to lookup any user's
login data.

I'm postulating that MS wanted to avoid this.

Nico
--


home help back first fref pref prev next nref lref last post