|Subject:||KDC should not check transited policy on intermediat tgts|
|Date:||Thu, 3 Apr 2003 11:09:25 -0500 (EST)|
|From:||hartmans@MIT.EDU (Sam Hartman)|
Section 1.1 of Kerberos clarifications recommends that even if the KDC
is doing transited policy checking, only the KDC closest to the
application should do so. I propose that we make krb5_rd_req have an
option to turn TP checking into a non-fatal condition and use this
option to avoid doing TP checking on intermediate KDCs.
I don't think this should be a 1.3 feature although I would like to
see it in 1.3.1.