"Michael B Allen" <[EMAIL PROTECTED]> writes: > Your choices are based on necessity, not trust. If the web application > needs delegated credentials (e.g. to authenticate as the user with > another tier), then you need to send the TGT [1].
Unless you use a system such as WebAuth or Cosign that supports limited delegation, in which case you can send only exactly the credentials that the web application needs. > [1] Kerberos provides other ways to limit how the TGT can be used and to > proxy service tickets and such but I don't think browsers have support > for such things yet. They don't so far as I know. Delegation in all the current browsers is an all-or-nothing affair. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
