Sam and I got together today and discussed this issue. we believe by adding the
following text then we have the right trade-off.
If anonymous PKINIT is used, the returned realm name MUST be the anonymous
realm.
All the issues in this thread are assumed to have been addressed with this
proposed change. This is pending workgr
--larry
-----Original Message-----
From: ietf-krb-wg-bounces(_at_)lists(_dot_)anl(_dot_)gov
[mailto:ietf-krb-wg-bounces(_at_)lists(_dot_)anl(_dot_)gov] On Behalf Of Sam
Hartman
Sent: Tuesday, July 08, 2008 7:21 AM
To: Larry Zhu
Cc: ietf-krb-wg(_at_)anl(_dot_)gov; ietf(_at_)ietf(_dot_)org
Subject: Re: [Ietf-krb-wg] Late Last Call comments: draft-ietf-krb-wg-anonymous
"Larry" == Larry Zhu <lzhu(_at_)windows(_dot_)microsoft(_dot_)com> writes:
>> First, if I call gss_display_name on an anonymous principal in
>> an acceptor, what do I expect to get back?
Larry> Would section 2.1.1 of RFC1964 be sufficient for this
Larry> purpose?
not really. As Ken pointed out, there is a significant mess
surrounding GSS-API and anonymous names.See section 4.5 in RFC 2743.
In particular, two anonymous names need to compare as false; a special
name type is used; etc. The GSS-API semantics do not seem to match
well onto some of the Kerberos semantics you propose.
Martin Rex said that the anonymous support was relatively immature in
GSS-API and that perhaps it needed to be revisited. I tend to agree.
The other concern I have is the multiple ways to specify anonymous
names for the AS case. I don't understand why we need multiple ways
to do that.
--Sam
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg(_at_)lists(_dot_)anl(_dot_)gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf