in Kerberos_Protocol
Re: Ticket extensions in Kerberos revisions
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Thu May 4 11:44:31 2000
Date: Thu, 4 May 2000 11:39:16 -0400
From: Nicolas Williams <firstname.lastname@example.org>
To: cat-ietf@MIT.EDU, krb-protocol@MIT.EDU
Cc: Ken Hornstein <email@example.com>
Content-Type: text/plain; charset=us-ascii
Date: Thu, 04 May 2000 00:19:04 -0400
From: Ken Hornstein <firstname.lastname@example.org>
On Thu, 04 May 2000, Ken Hornstein <email@example.com> wrote:
> >In Windows 2000 you don't have to do that. I think it's security
> >advantage not to have to run services with priviledges, though it's not
> >a perfect solution wrt untrusted software.
> You're forgetting one thing - Kerberos was designed to authenticate
> principals _across a network_, not through a third party on the same
> machine. If it's on the same machine, it's explicitly outside of the
> Kerberos design criteria.
This is the reason for that KDC PAC signature in the MS spec. I propose
that it be done differently, but either way it doesn't cost much at
all (signatures are small).
> (It makes me wonder why the third-party app couldn't pass ticket +
> authenticator to a system service, where _he_ could verify it and give
> the appropriate privs to the third-party app).
Because the third-party app has to have access to its service principal
key and so can forge tickets to itself.