Path: utzoo!attcan!uunet!aplcen!uakari.primate.wisc.edu!zaphod.mps.ohio-state.edu!usc!apple!agate!shelby!CS.WASHINGTON.EDU!bcn
From: bcn@CS.WASHINGTON.EDU (Clifford Neuman)
Newsgroups: comp.protocols.kerberos
Subject: Accounting Services, etc.
Message-ID: <9006020500.AA29287@n1dmm.cs.washington.edu>
Date: 2 Jun 90 05:00:29 GMT
References: <4007@darkstar.ucsc.edu>
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 21

I have put considerable thought into how to properly handle both
authorization and accounting through Kerberos.  The authorization data
field in version 5 of Kerberos allows these functions to be easily
supported.  I have been working on a paper that outlines my approach,
but that paper has been temporarily on hold.  If people keep after me,
I will polish it off.  The abstract follows.

	~ Cliff
---
Authentication Based Authorization and Accounting

In recent years there has been much interest in secure authentication
of principals across computer networks.  There was been less
discussion of distributed mechanism to support authorization and
accounting.  These problems are much closer to authentication than
most people realize.  By generalizing the authentication model to
support restricted proxies, both authorization and accounting can be
easily supported.  This paper shows how to support restricted proxies
in an authentication system, presents the appropriate model for
authorization and accounting, and describes how they may be easily
implemented on top of authentication.