disallow requests naming principal as a service
jbrezak at windows.microsoft.com
Tue Mar 26 20:57:00 EST 2002
The suggested text makes sense to me. We may need to enlist you in the
email from the GSSAPI experts that will follow from that bait.
From: Sam Hartman [mailto:hartmans at MIT.EDU]
Sent: Tuesday, March 26, 2002 4:51 PM
To: Moore, Patrick
Cc: John Brezak; krbdev at MIT.EDU; John Brezak (E-mail); Nicolas Williams;
Subject: Re: disallow requests naming principal as a service
>>>>> "Moore," == Moore, Patrick <pcmoore at sandia.gov> writes:
Moore,> It's not required by our globus application, nor by U2U
Moore,> draft. We use it if we get it, (and we get it today from
Moore,> DCE KDCs) and possibly save some round-trips. The U2U
Moore,> draft doesn't preclude in any way negotiating in advance
Moore,> whether U2U is required. But supports that you MAY learn
Moore,> that from the KDC or from the server.
I tried to ask this in SLC (or wherever the U2U mechanism was last
discussed) but apparently failed.
I'd like to see text in the U2u draft discussing negotiation and saying
that protocol designers contemplating the use of the U2U GSSAPI
mechanism should provide a negotiation layer both to provide for
negotiation of future authentication mechanisms and to provide for
selection of U2U vs normal Kerberos in cases where both are allowed or
where the KDC does not communicate the info.
I don't have a problem with giving application designers an error code
to work with for legacy applications. I do want to make sure we explain
the issues to future protocol designers so that we don't get a bunch of
protocols that rely on the KDC returning some error code when doing so
will not work correctly even in cases where the KDC implements the
More information about the krbdev