# I've not been familier with cross-realm nor U2U, so pointing
# out mistakes are truely appreciated.

Based on this and previous (<20050225114411XP%***@nanohz.org>)
mails, I would propose:

- change the KINK_TGT_REQ payload to carry the responder's principal
name.
- change the KINK_TGT_REP payload to carry only the TGT.
- when the resonder is requested a TGT, it returns an initial TGT in
the same realm with the reqested responder's principal in the
KINK_TGT_REQ.


----------------------------------------------------------------
In this mail (from here), I discuss which TGT should be returned to
the GETTGT command and how it works

Let's say:
A, B, and C is a realm.
***@A is a KINK initiator principal.
***@C is a KINK responder principal.
***@C is a user (or PKINIT) principal.
There is a trust relationship between A and B, and also between B and C.

When ***@A wants to authenticate itself to ***@C,
there seems to be 2 ways:
1) ***@A transit to the realm C and do an U2U authentication
at the KDC in C. The responder's TGT used here is the initial TGT
of realm C.
2) ***@C transit to the realm A and do an U2U authentication
at the KDC in A. The responder's TGT used here is the cross-realm
TGT for realm A.

While I'm not confident that I completely understand the concept of
the "trust relationship" represented as a inter-realm key, I think 1)
is the right way. Reasons are below.

- If the trust relationship is unidirectional, 2) allows a
"reverse-direction" authentication.
- ***@A doesn't know whether ***@C can transit to the
realm A, while it knows whether it can transit to the realm C, or at
least can try it.

So my conclusion is the responder should return its initial TGT.
When the cross-realm and U2U case, the initiator should transit
to the responder's realm and do an U2U authentication there.