Yoav Nir wrote:
Fortunately, we have some really good mechanisms on the books that
permit delegation including OAUTH*, KeyNote(2704), SASL (I think) and
even going back to SPKI (rfc2693). I know that there are more.
Supporting delegation is easy.
Supporting delegation in a way that ordinary people can understand
is very hard.
Kerberos originally contains a concept for "delegation of authority".
The only scenario how it seems to be used is in forwarding full
control (forwarding a TGT, rather than a tailored service ticket).
About a decade ago, a different scheme of "delegation" was invented
and is used with Kerberos today, called "Constrained Delegation"
with "Protocol Transition", where the sysadmin configures which
tickets a service is allowed to forge out of thin air at will
(which obviates the sysadmin to ask users for their passwords...).
-Martin