ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt

2008-03-20 07:57:38
from [Sam Hartman] [Permanent Link] 


I think there is a minor ambiguity in  the naming draft:


Consequently, unless otherwise
  specified, a well-known Kerberos realm name MUST NOT be present in 
transited encoding


Who enforces this requirement?  That's an important question because
it controls who needs to support the specific well known realm in
order for it to be used.

In general using passive voice for such requirements is a really bad idea.

I'd recommend something like: Unless otherwise specified, parties
checking the transited realm path MUST reject a transited realm path
that includes a well known realm.  In the case of KDCs checking the transited 
realm path, this means that the transited policy checked flag MUST NOT be set 
in the resulting ticket.




In particular, that means that a KDC that is not checking transited
realm paths is not encouraged to reject a request simply because the
realm in an unknown well known realm.


--Sam
_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt, Sam Hartman <=
Previous by Date:  RE: Nomcom process realities of "confidentiality", Ole Jacobsen
Next by Date:  RE: EAP applicability (Was: Re: IETF Last Call on Walled Garden Standard for the Internet), Avi Lior
Previous by Thread:  Re: Last Call: draft-funk-eap-ttls-v0 (EAP Tunneled TLS Authentication Protocol Version 0 (EAP-TTLSv0)) to Informational RFC, Jari Arkko
Next by Thread:  Gen-ART LC review of draft-ietf-ospf-multi-area-adj-07, Ben Campbell
Indexes:  [Date] [Thread] [Top] [All Lists]