Realm lookups again
Jeffrey Altman
jaltman at secure-endpoints.com
Sat Oct 4 10:56:51 EDT 2008
Greg Hudson wrote:
> Thanks for the input so far. One final (I hope) question about the
> host->realm heuristic:
>
> domain = fqdn;
> while (domain.label_count > 2) {
> domain = pop_label(domain);
> realm = domain2realm(domain); /* for ASCII: toupper() */
> if (lookup_kdcs(realm) > 0)
> break;
> realm = NULL;
> }
>
> Is there any reason not to check the domain itself as a realm? For
> example, if you are doing Kerberized HTTP authentication to sun.com,
> would you not want the client to intuit that the appropriate realm of
> sun.com is SUN.COM?
>
> (I reviewed the Dec 2006 and April 2008 threads about this topic, and
> found no direct discussion of this specific point.)
I believe the answer is 'yes'.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20081004/cd36c198/attachment.bin
More information about the krbdev
mailing list