RE: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sam and I got together today and discussed this issue. we believe by adding the following text then we have the right trade-off.

  If anonymous PKINIT is used, the returned realm name MUST be the anonymous realm.

All the issues in this thread are assumed to have been addressed with this proposed change. This is pending workgr
--larry
-----Original Message-----
From: ietf-krb-wg-bounces@xxxxxxxxxxxxx [mailto:ietf-krb-wg-bounces@xxxxxxxxxxxxx] On Behalf Of Sam Hartman
Sent: Tuesday, July 08, 2008 7:21 AM
To: Larry Zhu
Cc: ietf-krb-wg@xxxxxxx; ietf@xxxxxxxx
Subject: Re: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous

>>>>> "Larry" == Larry Zhu <lzhu@xxxxxxxxxxxxxxxxxxxxx> writes:

    >> First, if I call gss_display_name on an anonymous principal in
    >> an acceptor, what do I expect to get back?

    Larry> Would section 2.1.1 of RFC1964 be sufficient for this
    Larry> purpose?

not really.  As Ken pointed out, there is a significant mess

surrounding GSS-API and anonymous names.See section 4.5 in RFC 2743.
In particular, two anonymous names need to compare as false; a special
name type is used; etc.  The GSS-API semantics do not seem to match
well onto some of the Kerberos semantics you propose.

Martin Rex said that the anonymous support was relatively immature in
GSS-API and that perhaps it needed to be revisited.  I tend to agree.

The other concern I have is the multiple ways to specify anonymous
names for the AS case.  I don't understand why we need multiple ways
to do that.

--Sam

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@xxxxxxxxxxxxx
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]