Re: draft-lha-gssapi-delegate-policy-00.txt

[Andrew Bartlett <abartlet at samba.org>]

On Mon, 2008-08-18 at 21:39 +0100, Love Hörnquist Åstrand wrote:
> 18 aug 2008 kl. 18.43 skrev Michael B Allen:
> 
> > On Mon, 18 Aug 2008 14:44:15 +0100
> > Love Hörnquist Åstrand <lha at kth.se> wrote:
> >
> >> Hello,
> >>
> >> I would like to propose the following work to be taken up in the
> >> working group
> >>
> >> http://www.ietf.org/internet-drafts/draft-lha-gssapi-delegate-policy-00.txt
> >
> > I would much prefer that clients respect the policy first and
> > only deviate from that behavior unless specifically instructed
> > (e.g. GSS_C_DELEG_IGNORE_POLICY_FLAG).
> 
> Yes, I think that would be preferable, but this idea meets much
> resistance when I propose it. IMO think its a better idea to actually do
> something else about then fight about already existing semantics.

Except they are only existing semantics on Unix, not windows, which is
the majority of krb5 clients these days.  Can we try it one more time?

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Attachment: signature.asc
Description: This is a digitally From kitten-bounces@ietf.org Mon Aug 18 15:12:38 2008

On Mon, 2008-08-18 at 21:39 +0100, Love Hörnquist Åstrand wrote:
> 18 aug 2008 kl. 18.43 skrev Michael B Allen:
> 
> > On Mon, 18 Aug 2008 14:44:15 +0100
> > Love Hörnquist Åstrand <lha at kth.se> wrote:
> >
> >> Hello,
> >>
> >> I would like to propose the following work to be taken up in the
> >> working group
> >>
> >> http://www.ietf.org/internet-drafts/draft-lha-gssapi-delegate-policy-00.txt
> >
> > I would much prefer that clients respect the policy first and
> > only deviate from that behavior unless specifically instructed
> > (e.g. GSS_C_DELEG_IGNORE_POLICY_FLAG).
> 
> Yes, I think that would be preferable, but this idea meets much
> resistance when I propose it. IMO think its a better idea to actually do
> something else about then fight about already existing semantics.

Except they are only existing semantics on Unix, not windows, which is
the majority of krb5 clients these days.  Can we try it one more time?

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Attachment: signature.asc
Description: This is a digitally signed msigned message part

_______________________________________________
Kitten mailing list
Kitten at ietf.org
https://www.ietf.org/mailman/listinfo/kitten