On Aug 9, 2011, at 11:24 AM, Brian Carlstrom wrote: > I'm somewhat familiar with Kerberos having ported it across more traditional > OS's in my youth, but have little experience with it in a Java environment, > and have not thought out the general issues that might be present when each > app runs in an independent UID with regard to how ticket management etc might > work.
I suppose you could have the Kerberos network client app be a Service to other apps on the Android device, and proxy their requests for tickets. The status quo for traditional operating systems, in which all Kerberos-using clients get different tickets granting different network privileges yet all run as the same UID and thus can steal from each other, would be sub-par for Android. The Kerberos client app could enforce a policy such as "give other clients only the ticket(s) they previously asked for (and presented credentials for)", thus achieving Android-like privilege separation. I can imagine a need for first-class Kerberos support on Android, but it's not at the top of my "things Android needs" list. But it's not at the bottom, either... -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
