[cifs-protocol] [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag - TrackingID#2107090040004014

Isaac Boukris iboukris at gmail.com
Tue Jul 27 08:22:20 UTC 2021


Hi Jeff & Obaid,

On Tue, Jul 27, 2021 at 1:45 AM Jeff McCashland <jeffm at microsoft.com> wrote:
>
> Hi Isaac,
>
> I have gotten some clarification on the comment "When this protection if enabled, it unifies the logic for Resource-Based Constrained Delegation (RBCD) with the original constrained delegation.".
>
> RBCD was recently updated to ensure that everyone honors the ticket issuer's request to not allow delegation. What the comment means is that the secure RBCD logic will stay in place, and that NonForwardableDelegation is being added to be able to turn off forwarding.

Thanks for sharing that, so my vague understanding is that the current
behavior doesn't change with the CVE-2020-16996 update, and that
NonForwardableDelegation option was added which - I'm guessing - will
require the forwardable flag to be set on an evidence ticket even for
RBCD.

Hopefully the doc updates on this CVE's changes and the impact of the
NonForwardableDelegation option would shed some more light, and allow
us to fix our implementation.

Thanks!



More information about the cifs-protocol mailing list