The proposed text looks good. --larry -----Original Message----- From: ietf-krb-wg-bounces@xxxxxxxxxxxxx [mailto:ietf-krb-wg-bounces@xxxxxxxxxxxxx] On Behalf Of Sam Hartman Sent: Thursday, March 20, 2008 7:57 AM To: ietf@xxxxxxxx Cc: ietf-krb-wg@xxxxxxx Subject: [Ietf-krb-wg] Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt I think there is a minor ambiguity in the naming draft: >Consequently, unless otherwise > specified, a well-known Kerberos realm name MUST NOT be present in transited encoding Who enforces this requirement? That's an important question because it controls who needs to support the specific well known realm in order for it to be used. In general using passive voice for such requirements is a really bad idea. I'd recommend something like: Unless otherwise specified, parties checking the transited realm path MUST reject a transited realm path that includes a well known realm. In the case of KDCs checking the transited realm path, this means that the transited policy checked flag MUST NOT be set in the resulting ticket. In particular, that means that a KDC that is not checking transited realm paths is not encouraged to reject a request simply because the realm in an unknown well known realm. --Sam _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@xxxxxxxxxxxxx https://lists.anl.gov/mailman/listinfo/ietf-krb-wg _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf