[710] in Kerberos
Re: Distinguishing "users" and "services"
daemon@TELECOM.MIT.EDU (Ralph R. Swick)
Tue May 9 09:23:07 1989
To: John T Kohl <jtkohl@ATHENA.MIT.EDU>
Cc: kerberos@ATHENA.MIT.EDU, krb-protocol@ATHENA.MIT.EDU
In-Reply-To: Your message of Mon, 08 May 89 14:36:39 -0400.
From: Ralph R. Swick <swick@ATHENA.MIT.EDU>
> I propose allocating a flag bit in the KDC database to indicate that the
> indicated principal is not allowed to provide direct service, i.e. the
> TGS will reject any requests to issue a ticket which the principal can
decrypt.
Hmm. What does "provide direct service" really mean in the long
run? Does reading a mail message consisting of credentials and
a body encrypted in a session key constitute a "service"?
I suspect that a side-effect of this flag will be to increase the size
of the db substantially by forcing all users to have two instances;
one that provides "service" and correspondingly is denied service
by others (authorization again... :-) and one that doesn't. Smells
suspiciously similar to public/private key to me.
