Received: from cz.mit.edu (CARTER-ZIMMERMAN.MIT.EDU [18.18.3.197]) by krbdev.mit.edu (8.9.3p2) with ESMTP id QAA26162; Thu, 22 Jul 2004 16:34:55 -0400 (EDT)
Received: by cz.mit.edu (Postfix, from userid 8042) id 8FE8CE0053; Thu, 22 Jul 2004 16:35:10 -0400 (EDT)
To: rt@krbdev.mit.edu
Cc: 
Subject: Re: [krbdev.mit.edu #2641] KRB5_KDB_DISALLOW_SVR flag unnecessari ly prevents User2User
References: <rt-2641-11502.8.4366840122216@krbdev.mit.edu>
From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 22 Jul 2004 16:35:10 -0400
In-Reply-To: <rt-2641-11502.8.4366840122216@krbdev.mit.edu> (rt-comment@krbdev.mit.edu's message of "Thu, 22 Jul 2004 16:15:47 -0400 (EDT)")
Message-Id: <tsl7jsvg4qp.fsf@cz.mit.edu>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 1019

>>>>> "pcmoore@sandia" == pcmoore@sandia gov via RT <rt-comment@krbdev.mit.edu> writes:

    pcmoore@sandia> I agree that the proposed fix would cause a subtle
    pcmoore@sandia> change of KDC behavior, but like Ken, I can't
    pcmoore@sandia> imagine that it would catch anyone by surprise.
    pcmoore@sandia> And the fix is a really important security feature
    pcmoore@sandia> to any site that needs to allow user2user, and to
    pcmoore@sandia> require preauthentication.

I don't consider this a high priority for our implementation because
we don't really have a good implementation of U2U at the current time.

We'd need to have SPNEGO, so a client can determine whether it should
be using U2U or normal Kerberos.  We'd also need to support the U2U
mechanism.

I'm not sure I see a problem taking the patch under than the change in
semantics.

So again, I continue to believe that the best course of action is to
solicit review of the change in semantics and if people don't complain
then adopt the patch.