The proposed text looks good.
--larry
-----Original Message-----
From: ietf-krb-wg-bounces(_at_)lists(_dot_)anl(_dot_)gov
[mailto:ietf-krb-wg-bounces(_at_)lists(_dot_)anl(_dot_)gov] On Behalf Of Sam
Hartman
Sent: Thursday, March 20, 2008 7:57 AM
To: ietf(_at_)ietf(_dot_)org
Cc: ietf-krb-wg(_at_)anl(_dot_)gov
Subject: [Ietf-krb-wg] Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt
I think there is a minor ambiguity in the naming draft:
Consequently, unless otherwise
specified, a well-known Kerberos realm name MUST NOT be present in
transited encoding
Who enforces this requirement? That's an important question because
it controls who needs to support the specific well known realm in
order for it to be used.
In general using passive voice for such requirements is a really bad idea.
I'd recommend something like: Unless otherwise specified, parties
checking the transited realm path MUST reject a transited realm path
that includes a well known realm. In the case of KDCs checking the transited
realm path, this means that the transited policy checked flag MUST NOT be set
in the resulting ticket.
In particular, that means that a KDC that is not checking transited
realm paths is not encouraged to reject a request simply because the
realm in an unknown well known realm.
--Sam
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg(_at_)lists(_dot_)anl(_dot_)gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf