[37057] in Kerberos
Re: A client name with an '@'
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Wed Jun 3 11:21:18 2015
Message-Id: <201506031520.t53FKvh1022921@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: <kerberos@mit.edu>
In-Reply-To: <556EA34E.7010501@openfortress.nl>
MIME-Version: 1.0
Date: Wed, 03 Jun 2015 11:21:04 -0400
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>> Boy if I could get user principal mapping going, that would be sweet.
>
>Or you might retain the uppercase realm and try to cross-sign between
>the uppercase and lowercase realms. Your (somewhat silly) clients logon
>to the lowercase realm and gain access to the (less errorprone) uppercase
>realm.
I think if you had two realms that differed only by case, that would be
a recipe for a disaster (what happened when you tried to look up realm
information in DNS, which is case-insensitive for lookup?).
Also, the venerably Russ Allberry created a lowercase realm for Stanford,
and repeatedly has said that if he had to do it all over again he wouldn't
have done a lowercase realm; too much software assumes an uppercase realm.
Maybe that has changed in the intervening years.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
