[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposed Agenda for SSTC Call (29 June 2010)
>>> Secondly, Scott has deployers who want to implement this. We're not >>> sure what the use cases with the APREQ are, but the customer demand >>> that Scott has is for passing actual Kerberos credentials in an >>> attribute, and he doesn't know how that is best done. >> >> By "credential", do we mean "ticket"? If so, that's the point of the >> AP_REQ message. The AP_REQ is the ticket + authenticator. > > I don't want to speak for CMU, but what we were told is that the > normal > thing to do is to transfer the tickets in some standard format, and > then the > receiver of that can produce new AP_REQ messages as needed. Do you have any more information about this use-case? A Kerberos ticket is always transported in a Kerberos message. I'm sure that there's an appropriate message to use for their use-case, and we can trivially modify the schema to support that, but given the context it's not obvious what that message type should be. josh.