>>>>> "Paul" == Paul Jakma <[EMAIL PROTECTED]> writes:
Paul> hi, i'm wondering whether it would be possible to implement
Paul> ACLs for service ticket requests?
Yes, unfortunately it might be possible to do this. This means
someone might do it. Depending on how they did it they would either
create a security problem or an interoperability problem.
Kerberos assumes that authentication does not imply authorization.
The intent is that I be able to get a service ticket for any service
anywhere. That service may deny my authorization, but all the
currently existing services have authorization checks.
If people start writing and deploying services without such
authorization checks then running those services against standard KDCs
would create a security problem.
YYou're better off adopting a privilege certificate solution like DCE
or Microsoft or using a directory like LDAP to store authorization
information.
