On Mon, 24 Oct 2016, Shawn M Emery wrote: > > Agreed, however I noticed another area that could use better 2119 language in > regards to this. Here are the proposed updates: > > OLD: > Care MUST be taken by the KDC not to reveal the client's identity in the > authorization data of the returned ticket when populating the authorization > data in a returned anonymous ticket. > NEW: > The KDC MUST NOT reveal the client's identity in the authorization data of the > returned ticket when populating the authorization data in a returned anonymous > ticket. > > OLD: > Care MUST be taken by the TGS not to reveal the client's identity in the > authorization data of the returned ticket. > NEW: > The TGS MUST NOT reveal the client's identity in the authorization data of the > returned ticket. Those do look like parallel constructions that should get the same treatment. Thanks for spotting it. -Ben