ietf
[Top] [All Lists]

Re: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous

2008-07-08 07:21:40
"Larry" == Larry Zhu <lzhu(_at_)windows(_dot_)microsoft(_dot_)com> writes:

    >> First, if I call gss_display_name on an anonymous principal in
    >> an acceptor, what do I expect to get back?

    Larry> Would section 2.1.1 of RFC1964 be sufficient for this
    Larry> purpose?

not really.  As Ken pointed out, there is a significant mess

surrounding GSS-API and anonymous names.See section 4.5 in RFC 2743.
In particular, two anonymous names need to compare as false; a special
name type is used; etc.  The GSS-API semantics do not seem to match
well onto some of the Kerberos semantics you propose.

Martin Rex said that the anonymous support was relatively immature in
GSS-API and that perhaps it needed to be revisited.  I tend to agree.

The other concern I have is the multiple ways to specify anonymous
names for the AS case.  I don't understand why we need multiple ways
to do that.

--Sam

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>