Skip Menu |

Subject: KDC should not check transited policy on intermediat tgts
Date: Thu, 3 Apr 2003 11:09:25 -0500 (EST)
From: hartmans@MIT.EDU (Sam Hartman)

Section 1.1 of Kerberos clarifications recommends that even if the KDC
is doing transited policy checking, only the KDC closest to the
application should do so. I propose that we make krb5_rd_req have an
option to turn TP checking into a non-fatal condition and use this
option to avoid doing TP checking on intermediate KDCs.

I don't think this should be a 1.3 feature although I would like to
see it in 1.3.1.