Principal naming

Greg Hudson ghudson at MIT.EDU
Sat Apr 11 13:49:19 EDT 2009

Can you be more specific about what real interoperability problems are
cropping up from either principal case sensitivity or from "degenerate"
principals like /@, and how you would like those problems to be

krb5 1.7 adds some support for protocol features which would allow a KDC
to treat principals as partially or completely case-insensitive.
Clients and servers are not expected to know the KDC's case-handling
policy; this is achieved by allowing clients to request canonicalization
of client principal names when obtaining initial tickets, and by
allowing servers to match server principals in keytabs by key rather
than by name.  There is no back-end support for case-folding in the
shipped DB2 and LDAP back ends, so that piece remains "a simple matter
of programming" for the moment.

More information about the krbdev mailing list