>>>>> "Paul" == Paul Jakma <[EMAIL PROTECTED]> writes:
Paul> hi, i'm wondering whether it would be possible to implement Paul> ACLs for service ticket requests? Yes, unfortunately it might be possible to do this. This means someone might do it. Depending on how they did it they would either create a security problem or an interoperability problem. Kerberos assumes that authentication does not imply authorization. The intent is that I be able to get a service ticket for any service anywhere. That service may deny my authorization, but all the currently existing services have authorization checks. If people start writing and deploying services without such authorization checks then running those services against standard KDCs would create a security problem. YYou're better off adopting a privilege certificate solution like DCE or Microsoft or using a directory like LDAP to store authorization information.