Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping

To: "Henry B. Hotz" <hotz at jpl.nasa.gov>
Subject: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Mon, 28 Jan 2008 17:55:04 -0600
Cc: kitten at ietf.org
In-reply-to: <A82E36D5-E8A7-4CF6-A55F-ED0C4132A0C0@jpl.nasa.gov>
List-archive: <http://www1.ietf.org/pipermail/kitten>
List-help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-post: <mailto:kitten@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
Mail-followup-to: "Henry B. Hotz" <hotz at jpl.nasa.gov>, kitten at ietf.org
References: <E30895F8BA39B6439F5F1AAA1DBBFB523C49FAC200@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> <4d569c330712071206q2284c13foad072cecb7ec81fd@mail.gmail.com> <2D438E30-4D65-4CE4-A85D-D096CE162F7E@jpl.nasa.gov> <E30895F8BA39B6439F5F1AAA1DBBFB52471115A210@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> <20080127210717.GU12865@Sun.COM> <E30895F8BA39B6439F5F1AAA1DBBFB52472CC06F26@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> <20080128194159.GF12865@Sun.COM> <2F99489E062D6942992B552C@sirius.fac.cs.cmu.edu> <20080128204241.GK12865@Sun.COM> <A82E36D5-E8A7-4CF6-A55F-ED0C4132A0C0@jpl.nasa.gov>
User-agent: Mutt/1.5.7i

On Mon, Jan 28, 2008 at 03:46:07PM -0800, Henry B. Hotz wrote:
> Since I'm not on that list, I'll throw my 2 cents in here:

[Cc'ing the KITTEN list and you, dropping the KRB WG list.]

> It would be nice if you could do a gss_compare_name() between  
> smith at EXAMPLE.COM and uid=smith,ou=People,dc=example,dc=com and get a  
> "true" result.  I think the detail you threw out was headed in that  
> direction, but it wasn't clear to me if it would get you all the way  
> there.

Well, that might work given the text I gave Larry in a very specific
context, namely that if one of the arguments to GSS_Compare_name() is a
NAME object imported with GSS_Import_name() but not canonicalized and
the other argument is a NAME object that is what I called a CMN (and
therefore there's an underlying cert) then the comparison could be true
if that cert had a id-pkinit-san SAN with that krb5 principal name.

I'm not sure that we actually want GSS_Compare_name() to sport such
behaviour, as opposed to having a new function that does, because it's
pushing things a bit to say that the two NAME objects passed to it are
equal representations of the same principal.  They are representations
of the same principal name, just not _equal_ representations of it.

I think I'd want a GSS_Match_name() function, or something, to embody
this kind of functionality.

Nico
-- 

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

Follow-Ups:
- Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
  - From: Jeffrey Hutzelman

References:
- Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
  - From: Nicolas Williams
- Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
  - From: Henry B. Hotz

Prev by Date: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
Next by Date: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
Previous by thread: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
Next by thread: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
Index(es):
- Date
- Thread

Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.