A client name with an '@'
Nico Williams
nico at cryptonector.com
Wed Jun 3 12:51:03 EDT 2015
On Wed, Jun 03, 2015 at 11:21:04AM -0400, Ken Hornstein wrote:
> >Or you might retain the uppercase realm and try to cross-sign between
> >the uppercase and lowercase realms. Your (somewhat silly) clients logon
> >to the lowercase realm and gain access to the (less errorprone) uppercase
> >realm.
>
> I think if you had two realms that differed only by case, that would be
> a recipe for a disaster (what happened when you tried to look up realm
> information in DNS, which is case-insensitive for lookup?).
Or hack on the KDCs to implement AD-style case-insensitive/preserving
realm matching. I'm starting to think that we ought to do this in
Heimdal and MIT Kerberos, at least as an option.
> Also, the venerably Russ Allberry created a lowercase realm for Stanford,
> and repeatedly has said that if he had to do it all over again he wouldn't
> have done a lowercase realm; too much software assumes an uppercase realm.
> Maybe that has changed in the intervening years.
I'd stay away from lower-case realm naming.
We keep putting off reckoning with I18N. But the more we do it the more
we'll effectively end up with the right solution (namely, recognize that
we just-send-8, say that only UTF-8 will interop reliably, then make
KerberosString be UTF8String with an IA5String implicit universal tag,
list domainname slots in the protocol and put U-labels in them,
recognize A-labels as aliasing U-labels in KDBs; with IDNA2008 we could
even do the right thing as to treating realms as domainnames that are
strangely capitalized).
Nico
--
More information about the Kerberos
mailing list