Principal naming
Shawn M Emery
Shawn.Emery at Sun.COM
Sat Apr 11 02:17:37 EDT 2009
Recently there has been some ambiguity on how to handle case sensitivity
for principal names. Various principal name components are used either
in upper or lower case. For example the following principal names are
considered valid:
HTTP/host1.example.com at EXAMPLE.COM
HOST/host1.example.com at EXAMPLE.COM
host/host1.example.com at EXAMPLE.COM
host/HOST1.EXAMPLE.COM at EXAMPLE.COM
In order to prevent issues with interoperability, I believe that it
should be made clear what we can inference from a principal name and
that the various implementations reflect this.
The other question/issue is that there is no formal syntax to represent
valid principal names. Currently there are a number of questionable
principal names that can added to the database. For example:
host/@EXAMPLE.COM
host/@
/@
//@
user@
Some principal names can not be used with Kerberos utilities, others may
be able to by accident. My opinion is that a formal syntax for
principals names should exist, but should also allow for future
extensions. The syntax can be used to enforce which principal names are
allowed to be populated in the database and therefore supported by the
various utilities.
Shawn.
--
More information about the krbdev
mailing list