Sam and I got together today and discussed this issue. we believe by adding the following text then we have the right trade-off. If anonymous PKINIT is used, the returned realm name MUST be the anonymous realm. All the issues in this thread are assumed to have been addressed with this proposed change. This is pending workgr --larry -----Original Message----- From: ietf-krb-wg-bounces@xxxxxxxxxxxxx [mailto:ietf-krb-wg-bounces@xxxxxxxxxxxxx] On Behalf Of Sam Hartman Sent: Tuesday, July 08, 2008 7:21 AM To: Larry Zhu Cc: ietf-krb-wg@xxxxxxx; ietf@xxxxxxxx Subject: Re: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous >>>>> "Larry" == Larry Zhu <lzhu@xxxxxxxxxxxxxxxxxxxxx> writes: >> First, if I call gss_display_name on an anonymous principal in >> an acceptor, what do I expect to get back? Larry> Would section 2.1.1 of RFC1964 be sufficient for this Larry> purpose? not really. As Ken pointed out, there is a significant mess surrounding GSS-API and anonymous names.See section 4.5 in RFC 2743. In particular, two anonymous names need to compare as false; a special name type is used; etc. The GSS-API semantics do not seem to match well onto some of the Kerberos semantics you propose. Martin Rex said that the anonymous support was relatively immature in GSS-API and that perhaps it needed to be revisited. I tend to agree. The other concern I have is the multiple ways to specify anonymous names for the AS case. I don't understand why we need multiple ways to do that. --Sam _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@xxxxxxxxxxxxx https://lists.anl.gov/mailman/listinfo/ietf-krb-wg _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf