disallow requests naming principal as a service

John Brezak jbrezak at windows.microsoft.com
Tue Mar 26 20:57:00 EST 2002

The suggested text makes sense to me. We may need to enlist you in the
email from the GSSAPI experts that will follow from that bait.

-----Original Message-----
From: Sam Hartman [mailto:hartmans at MIT.EDU] 
Sent: Tuesday, March 26, 2002 4:51 PM
To: Moore, Patrick
Cc: John Brezak; krbdev at MIT.EDU; John Brezak (E-mail); Nicolas Williams;
Matt Crawford
Subject: Re: disallow requests naming principal as a service

>>>>> "Moore," == Moore, Patrick <pcmoore at sandia.gov> writes:

    Moore,> It's not required by our globus application, nor by U2U
    Moore,> draft.  We use it if we get it, (and we get it today from
    Moore,> DCE KDCs) and possibly save some round-trips. The U2U
    Moore,> draft doesn't preclude in any way negotiating in advance
    Moore,> whether U2U is required.  But supports that you MAY learn
    Moore,> that from the KDC or from the server.

I tried to ask this in SLC (or wherever the U2U mechanism was last
discussed) but apparently failed.

I'd like to see text in the U2u draft discussing negotiation and saying
that protocol designers contemplating the use of the U2U GSSAPI
mechanism should provide a negotiation layer both to provide for
negotiation of future authentication mechanisms and to provide for
selection  of U2U vs normal Kerberos  in cases where both are allowed or
where the KDC does not communicate the info.

I don't have a problem with giving application designers an error code
to work with for legacy applications.  I do want to make sure we explain
the issues to future protocol designers so that we don't get a bunch of
protocols that rely on the KDC returning some error code when doing so
will not work correctly even in cases where the KDC implements the

More information about the krbdev mailing list