On Fri, 25 Jan 2002, Andreas Hasenack wrote: > It's like that company example, when I present myself at the desk clerk, > I get a temp ID for use within the company. This doesn't allow me > automatically in the restricted areas.
/AIUI/, to make the analogy between a keycard system and kerberos, it is not the job of the keycard issuer to find out whether you will need to access Area A and/or Area C and/or Area D, etc.. They (the card/ticket issuer) just need to give you the correct TGT for your principal (or keycard). It is the jobs of the doors or keycard systems (or actual services that use kerberos) at each area to check whether the keycard you hold (or the ticket that only you, the principal identified in the ticket, could have gotten) is allowed to access that area. i /think/. :) --paulj