>>>>> "pcmoore@sandia" == pcmoore@sandia gov via RT <rt-comment@krbdev.mit.edu> writes:

    pcmoore@sandia> I agree that the proposed fix would cause a subtle
    pcmoore@sandia> change of KDC behavior, but like Ken, I can't
    pcmoore@sandia> imagine that it would catch anyone by surprise.
    pcmoore@sandia> And the fix is a really important security feature
    pcmoore@sandia> to any site that needs to allow user2user, and to
    pcmoore@sandia> require preauthentication.

I don't consider this a high priority for our implementation because
we don't really have a good implementation of U2U at the current time.

We'd need to have SPNEGO, so a client can determine whether it should
be using U2U or normal Kerberos.  We'd also need to support the U2U
mechanism.

I'm not sure I see a problem taking the patch under than the change in
semantics.

So again, I continue to believe that the best course of action is to
solicit review of the change in semantics and if people don't complain
then adopt the patch.