>>>>> "Paul" == Paul Jakma <[EMAIL PROTECTED]> writes:
Paul> On 21 Jan 2002, Sam Hartman wrote:
>> Yes, unfortunately it might be possible to do this. This means
>> someone might do it. Depending on how they did it they would
>> either create a security problem or an interoperability
>> problem.
Paul> shouldnt be an interoperability problem should it? it would
Paul> be completely internal to the KDC. at worst a principal is
Paul> denied a service ticket request. ??
No, at worst a principal is granted access because a service assuming
the KDC does authorization is deployed in a realm where this is not
the case. The interop problem happens when someone wants to deploy a
service but realizes they cannot do so because it requires
authorization features their realm does not support.
>> Kerberos assumes that authentication does not imply
>> authorization.
Paul> indeed. and while such a policy would be admirable, the
I am aware of no widely deployed Kerberos applications without
authorization support.
