[482] in Kerberos_Protocol

home help back first fref pref prev next nref lref last post

Re: Ticket extensions in Kerberos revisions

daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu May 4 11:48:06 2000

Message-Id: <200005041547.LAA11924@ginger.cmf.nrl.navy.mil>
To: cat-ietf@MIT.EDU, krb-protocol@MIT.EDU
In-Reply-To: Your message of "Thu, 04 May 2000 11:39:16 EDT."
             <20000504113915.B1094@sm2p1386swk.wdr.com> 
Date: Thu, 04 May 2000 11:47:35 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>> (It makes me wonder why the third-party app couldn't pass ticket +
>> authenticator to a system service, where _he_ could verify it and give
>> the appropriate privs to the third-party app).
>
>Because the third-party app has to have access to its service principal
>key and so can forge tickets to itself.

So give only the system service access to the principal key (and I'm
confused right now; according to Martin Rex, what I described _is_ the
way it works.  Who's right?)

--Ken

home help back first fref pref prev next nref lref last post