>>>>> "Paul" == Paul Jakma <[EMAIL PROTECTED]> writes:
Paul> On 21 Jan 2002, Sam Hartman wrote: >> Yes, unfortunately it might be possible to do this. This means >> someone might do it. Depending on how they did it they would >> either create a security problem or an interoperability >> problem. Paul> shouldnt be an interoperability problem should it? it would Paul> be completely internal to the KDC. at worst a principal is Paul> denied a service ticket request. ?? No, at worst a principal is granted access because a service assuming the KDC does authorization is deployed in a realm where this is not the case. The interop problem happens when someone wants to deploy a service but realizes they cannot do so because it requires authorization features their realm does not support. >> Kerberos assumes that authentication does not imply >> authorization. Paul> indeed. and while such a policy would be admirable, the I am aware of no widely deployed Kerberos applications without authorization support.