ietf
[Top] [All Lists]

RE: [Ietf-krb-wg] Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt

2008-07-27 07:02:36
The proposed text looks good.

--larry

-----Original Message-----
From: ietf-krb-wg-bounces(_at_)lists(_dot_)anl(_dot_)gov 
[mailto:ietf-krb-wg-bounces(_at_)lists(_dot_)anl(_dot_)gov] On Behalf Of Sam 
Hartman
Sent: Thursday, March 20, 2008 7:57 AM
To: ietf(_at_)ietf(_dot_)org
Cc: ietf-krb-wg(_at_)anl(_dot_)gov
Subject: [Ietf-krb-wg] Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt



I think there is a minor ambiguity in  the naming draft:

Consequently, unless otherwise
  specified, a well-known Kerberos realm name MUST NOT be present in 
transited encoding

Who enforces this requirement?  That's an important question because
it controls who needs to support the specific well known realm in
order for it to be used.

In general using passive voice for such requirements is a really bad idea.

I'd recommend something like: Unless otherwise specified, parties
checking the transited realm path MUST reject a transited realm path
that includes a well known realm.  In the case of KDCs checking the transited 
realm path, this means that the transited policy checked flag MUST NOT be set 
in the resulting ticket.




In particular, that means that a KDC that is not checking transited
realm paths is not encouraged to reject a request simply because the
realm in an unknown well known realm.


--Sam
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg(_at_)lists(_dot_)anl(_dot_)gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>
  • RE: [Ietf-krb-wg] Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt, Larry Zhu <=