To: | krb5-bugs@mit.edu |
Subject: | KDC should not check transited policy on intermediat tgts |
Date: | Thu, 3 Apr 2003 11:09:25 -0500 (EST) |
From: | hartmans@MIT.EDU (Sam Hartman) |
Section 1.1 of Kerberos clarifications recommends that even if the KDC
is doing transited policy checking, only the KDC closest to the
application should do so. I propose that we make krb5_rd_req have an
option to turn TP checking into a non-fatal condition and use this
option to avoid doing TP checking on intermediate KDCs.
I don't think this should be a 1.3 feature although I would like to
see it in 1.3.1.