Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt
Sam Hartman <hartmans-ietf@mit.edu> Thu, 20 March 2008 14:59 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietfarch-ietf-archive@core3.amsl.com
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59F7328C541; Thu, 20 Mar 2008 07:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.698
X-Spam-Level:
X-Spam-Status: No, score=-100.698 tagged_above=-999 required=5 tests=[AWL=-0.261, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kizkYd9SXJNZ; Thu, 20 Mar 2008 07:59:28 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AF9728C3DE; Thu, 20 Mar 2008 07:59:28 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6CF028C55D for <ietf@core3.amsl.com>; Thu, 20 Mar 2008 07:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gVrHSR6-tf-L for <ietf@core3.amsl.com>; Thu, 20 Mar 2008 07:59:24 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) by core3.amsl.com (Postfix) with ESMTP id 9ACDB28C4E9 for <ietf@ietf.org>; Thu, 20 Mar 2008 07:59:22 -0700 (PDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 931C04775; Thu, 20 Mar 2008 10:57:02 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: ietf@ietf.org
Subject: Late Last Call Comment: draft-ietf-krb-wg-naming-04.txt
Date: Thu, 20 Mar 2008 10:57:02 -0400
Message-ID: <tsld4ppmojl.fsf@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Cc: ietf-krb-wg@anl.gov
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
I think there is a minor ambiguity in the naming draft: >Consequently, unless otherwise > specified, a well-known Kerberos realm name MUST NOT be present in transited encoding Who enforces this requirement? That's an important question because it controls who needs to support the specific well known realm in order for it to be used. In general using passive voice for such requirements is a really bad idea. I'd recommend something like: Unless otherwise specified, parties checking the transited realm path MUST reject a transited realm path that includes a well known realm. In the case of KDCs checking the transited realm path, this means that the transited policy checked flag MUST NOT be set in the resulting ticket. In particular, that means that a KDC that is not checking transited realm paths is not encouraged to reject a request simply because the realm in an unknown well known realm. --Sam _______________________________________________ IETF mailing list IETF@ietf.org https://www.ietf.org/mailman/listinfo/ietf