Host-realm pluggable interface scope questions
Nico Williams
nico at cryptonector.com
Mon Jun 17 12:26:03 EDT 2013
On Mon, Jun 17, 2013 at 11:12 AM, Greg Hudson <ghudson at mit.edu> wrote:
> * Should krb5_get_default_realm() be in scope? One can think of this as
> a special case of krb5_get_host_realm(), and some of the same
> mechanisms have historically applied (such as TXT lookups).
Yes, but only if the plugin has a way to request or indicate secure lookups.
> * Should hostname canonicalization be in scope? This is performed by
> krb5_sname_to_principal(), not krb5_get_host_realm(), but
> sname-to-principal is one of only two consumers of
> krb5_get_host_realm().
No.
> * Should hostname "cleaning" be in scope? This is where we convert
> hostnames to lower-case and strip off any trailing dot.
Absolutely not.
> * Should plugin modules be able to return multiple answers for the host
> realm? Our APIs currently allow this (for realm-of-host and
> fallback-realm-of-host, not for default-realm) but we only ever
> produce or consume one answer at the moment.
Yes.
I have two uses for this. One is for host principal canonicaliztion:
try one realm, then the next, when referrals aren't forthcoming. The
other is the name constraints checking I was referring to the other
day. Note that for the first case order matters.
Nico
--
More information about the krbdev
mailing list