[EMAIL PROTECTED] (Nicolas Williams) writes:
>> Actually, I think that it would be a good thing if there were an
>> authorization data type for packing ticket ACLs (i.e., princ name
>> patterns) into forwarded TGTs. The idea being that you could forward a
>> TGT that is crippled and allows the receiver of it to get tickets in
>> your name to only a few services.
It requires no changes to the protocol or KDC to use the local TGT to
get forwardable service tickets for the short list of specific
services you care about, and forward those.
Marc
