>>>>> "Larry" == Larry Zhu <lzhu@xxxxxxxxxxxxxxxxxxxxx> writes: >> First, if I call gss_display_name on an anonymous principal in >> an acceptor, what do I expect to get back? Larry> Would section 2.1.1 of RFC1964 be sufficient for this Larry> purpose? not really. As Ken pointed out, there is a significant mess surrounding GSS-API and anonymous names.See section 4.5 in RFC 2743. In particular, two anonymous names need to compare as false; a special name type is used; etc. The GSS-API semantics do not seem to match well onto some of the Kerberos semantics you propose. Martin Rex said that the anonymous support was relatively immature in GSS-API and that perhaps it needed to be revisited. I tend to agree. The other concern I have is the multiple ways to specify anonymous names for the AS case. I don't understand why we need multiple ways to do that. --Sam _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf