Does Kerberos version 5 support i18n specifications?

Tom Yu tlyu at MIT.EDU
Thu Jul 16 11:46:29 EDT 2009

suma <suma.s.gururaj at> writes:

> I was told by some folks that some of the organizations such as
> Microsoft, Oracle etc., have implemented a kerberos solution to
> authenticate users with multibyte characters.  Is anyone aware of it?
> If I were to provide support to authenticate multibyte characters; do
> I need to not use MIT kerberos libraries.  Please advice how do I go
> about?

The Kerberos protocol (RFC 4120) allows only ASCII strings in
principal names.  The earlier specification, RFC 1510, had an
unconstrained GeneralString type for principal names; this ASN.1 type
has a specific meaning (a certain subset of the ISO 2022 "shift"
encoding schemes), but early implementors misinterpreted the meaning
of this type.

In practice, this meant that implementors, including MIT Kerberos,
used whatever character encoding was in effect in the operating
environment, whether that was UTF-8, ISO 8859-1, etc., thus creating
an interoperability problem.  There is no easy resolution to this
interoperability problem.  If you have suggestions on how to improve
this character encoding situation, we will be pleased to consider

More information about the Kerberos mailing list