Re: the PKU2U DN to Kerberos Principal name mapping

To: Jeffrey Hutzelman <jhutz at cmu.edu>
Subject: Re: the PKU2U DN to Kerberos Principal name mapping
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Tue, 29 Jan 2008 13:20:37 -0600
Cc: kitten at ietf.org, "Henry B. Hotz" <hotz at jpl.nasa.gov>
In-reply-to: <F2BAD0E8726C96FB0D9CA2BF@sirius.fac.cs.cmu.edu>
List-archive: <http://www1.ietf.org/pipermail/kitten>
List-help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-post: <mailto:kitten@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
Mail-followup-to: Jeffrey Hutzelman <jhutz at cmu.edu>, "Henry B. Hotz" <hotz at jpl.nasa.gov>, kitten at ietf.org
References: <2D438E30-4D65-4CE4-A85D-D096CE162F7E@jpl.nasa.gov> <E30895F8BA39B6439F5F1AAA1DBBFB52471115A210@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> <20080127210717.GU12865@Sun.COM> <E30895F8BA39B6439F5F1AAA1DBBFB52472CC06F26@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com> <20080128194159.GF12865@Sun.COM> <2F99489E062D6942992B552C@sirius.fac.cs.cmu.edu> <20080128204241.GK12865@Sun.COM> <A82E36D5-E8A7-4CF6-A55F-ED0C4132A0C0@jpl.nasa.gov> <20080128235504.GR12865@Sun.COM> <F2BAD0E8726C96FB0D9CA2BF@sirius.fac.cs.cmu.edu>
User-agent: Mutt/1.5.7i

On Tue, Jan 29, 2008 at 12:42:35PM -0500, Jeffrey Hutzelman wrote:
> --On Monday, January 28, 2008 05:55:04 PM -0600 Nicolas Williams 
> <Nicolas.Williams at sun.com> wrote:
> 
> >I'm not sure that we actually want GSS_Compare_name() to sport such
> >behaviour, as opposed to having a new function that does, because it's
> >pushing things a bit to say that the two NAME objects passed to it are
> >equal representations of the same principal.  They are representations
> >of the same principal name, just not _equal_ representations of it.
> 
> That's OK.  GSS_Compare_name is defined to return a true result when the 
> names represent the same entity, not only when they are the same.  This 
> appears to be exactly what GSS_Compare_name is for, so no, I don't think we 
> need a new interface for this.

OK, good.  Then I think the text I gave Larry is pretty close.

I suppose we need to decide what name-types *must* be supported.  I
propose:

 - GSS_C_NT_DN (because that's what the canonical names will be based
   on!  it simply must be supported)

 - GSS_C_NT_HOSTBASED_SERVICE (because most acceptors will be hosts and
   generic GSS apps will be using this name-type)

 - GSS_KRB5_PRINCIPAL_NAME (because, PKU2U being built on PKINIT
   technology, it should be trivial to support this when id-pkinit-san
   is present)

The other name-types should all be optional.


_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

References:
- Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
  - From: Nicolas Williams
- Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
  - From: Henry B. Hotz
- Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
  - From: Nicolas Williams
- Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
  - From: Jeffrey Hutzelman

Prev by Date: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
Next by Date: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
Previous by thread: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
Next by thread: Re: [Ietf-krb-wg] the PKU2U DN to Kerberos Principal name mapping
Index(es):
- Date
- Thread

Re: the PKU2U DN to Kerberos Principal name mapping

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.