I think it would be inappropriate to change the behavior for existing
applications with regard to the ok-as-delegate flag.

Allowing the realm to override and prevent delegation would violate
the software engineering principle of designing for your user.


However adding a new mechanism in the krb5 library and in the GSS-API
so that an application can say "Please delegate if the local realm
thinks it is a good idea," is a reasonable goal.  It would require a
new GSS flag and new APIs at the krb5 layer.