[krbwg-51] [grand.central.org #273] Re: submit comments on GSSAPI names

John Brezak via RT rt-krbwg-51@grand.central.org
Thu, 10 May 2001 12:49:03 -0400 (EDT)

<URL: http://new-grand.central.org//rt//Ticket/Display.html?id=273 >

[hartmans - Wed Mar 21 17:05:20 2001]:

> During the name canonicalization discussion this morning, we realized
> that there may be significant issues with the GSSAPI names as they
> interact with complex naming models.  You want to for example be able
> to put the long-lived form of a user name on an ACL.
> We agreed that either Paul or John will consider writing up comments
> to CAT wrt going to draft standard.
This was posted to the wg list in an addendum to the Minneapolis 
meeting minutes:

1) For the GSSAPI name canonicalization of the client name for use in 
ACLs, there is an existing problem with GSSAPI v2 where servers that 
have multiple principal names today can have the exact same problem if 
a server is to be used as an authorization subject name that is a 
GSSAPI canonical name. This problem is not new to the Kerberos 
referrals and needs to be addressed in GSSAPI regardless of how this 

I have not seen any discussion on this topic.