"Larry" == Larry Zhu <lzhu(_at_)windows(_dot_)microsoft(_dot_)com> writes:
>> First, if I call gss_display_name on an anonymous principal in
>> an acceptor, what do I expect to get back?
Larry> Would section 2.1.1 of RFC1964 be sufficient for this
Larry> purpose?
not really. As Ken pointed out, there is a significant mess
surrounding GSS-API and anonymous names.See section 4.5 in RFC 2743.
In particular, two anonymous names need to compare as false; a special
name type is used; etc. The GSS-API semantics do not seem to match
well onto some of the Kerberos semantics you propose.
Martin Rex said that the anonymous support was relatively immature in
GSS-API and that perhaps it needed to be revisited. I tend to agree.
The other concern I have is the multiple ways to specify anonymous
names for the AS case. I don't understand why we need multiple ways
to do that.
--Sam
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf