Yoav Nir wrote: > > Fortunately, we have some really good mechanisms on the books that > permit delegation including OAUTH*, KeyNote(2704), SASL (I think) and > even going back to SPKI (rfc2693). I know that there are more. > > Supporting delegation is easy. > > Supporting delegation in a way that ordinary people can understand > is very hard. Kerberos originally contains a concept for "delegation of authority". The only scenario how it seems to be used is in forwarding full control (forwarding a TGT, rather than a tailored service ticket). About a decade ago, a different scheme of "delegation" was invented and is used with Kerberos today, called "Constrained Delegation" with "Protocol Transition", where the sysadmin configures which tickets a service is allowed to forge out of thin air at will (which obviates the sysadmin to ask users for their passwords...). -Martin