Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by krbdev.mit.edu (8.9.3) with ESMTP id LAA27979; Thu, 3 Apr 2003 11:09:28 -0500 (EST) Received: from luminous.mit.edu (LUMINOUS.MIT.EDU [18.101.1.61]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h33G9Qs4001859 for ; Thu, 3 Apr 2003 11:09:27 -0500 (EST) Received: by luminous.mit.edu (Postfix, from userid 1000) id F247E76867; Thu, 3 Apr 2003 11:09:25 -0500 (EST) To: krb5-bugs@mit.edu Subject: KDC should not check transited policy on intermediat tgts Message-Id: <20030403160925.F247E76867@luminous.mit.edu> Date: Thu, 3 Apr 2003 11:09:25 -0500 (EST) From: hartmans@MIT.EDU (Sam Hartman) X-RT-Original-Encoding: iso-8859-1 Content-Length: 416 Section 1.1 of Kerberos clarifications recommends that even if the KDC is doing transited policy checking, only the KDC closest to the application should do so. I propose that we make krb5_rd_req have an option to turn TP checking into a non-fatal condition and use this option to avoid doing TP checking on intermediate KDCs. I don't think this should be a 1.3 feature although I would like to see it in 1.3.1.