[1256] in Kerberos_V5_Development
Re: security flaw in get_in_tkt: address verification
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Fri May 31 22:23:01 1996
To: Sam Hartman <hartmans@MIT.EDU>
Cc: epeisach@MIT.EDU, krbdev@MIT.EDU, "Barry Jaspan" <bjaspan@MIT.EDU>
Date: Fri, 31 May 1996 22:22:55 EDT
From: Marc Horowitz <marc@MIT.EDU>
>> Are you sure that there aren't situations involving proxies
>> through a firewall where the kdc, or agent between the kdc and client
>> might not reasonably add addresses to the tgt request? Do we want to
>> allow such usage?
In such a situation, I'd rather the proxy talk to the client, and have
the client forward the tickets to the new address, than have the proxy
changing the ticket in transit.
Marc
