[1494] in Kerberos-V5-bugs
Re: Kerberos V5 beta5 / DCE interoperability problem
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Mon Jun 19 20:14:22 1995
Date: Mon, 19 Jun 1995 20:12:54 +0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: ramus@nersc.gov
Cc: pato@apollo.hp.com, KRB5-BUGS@MIT.EDU, DEEngert@anl.gov,
sommerfeld@apollo.hp.com
In-Reply-To: Joe Ramus's message of Mon, 19 Jun 95 13:40:00 PDT,
<9506192040.AA21581@windsail.nersc.gov>
Date: Mon, 19 Jun 95 13:40:00 PDT
From: ramus@nersc.gov (Joe Ramus)
I must have missed the point somewhere?
Why does MIT want to require "all upper case" in RFC 1510?
Why is it so difficult to allow both upper & lower case and to
distinguish between them?
For the same reason that DCE requires (and cannonicalizes) the cell name
to be all lowercase in all known implementations? As inconvenient as
the OSF has made our life by doing this, there actually is a
justification for it.
It's basically matter of convention, and reducing confusion; given that
we're using realm (cell) names that are derived from the DNS,
which is case insensitive, it makes life much simpler to either (a) make
the realm (cell) names case insensitive, or (b) adopt either by
convention or by fiat, that the realm (cell) names be all one case.
For historical reasons, Kerberos realm names have been in all upper
case. And while there are some arguments in favor of making the realm
(cell) names to be case insensitive, there are also a lot of arguments
(mostly having to do with internationalization and adaptability of
Kerberos (DCE) to silly things like OSI) to allow it to be case
sensitive.
So if we're going to do (b), then it makes sense to force the case of
the realm (cell) name. Unfortunately, DCE didn't choose the established
convention of Kerberos realm names, and used another one. The technical
reasons to prefer all lower case to all upper case, are probably about
as good as the ones that argue whether big endian or little endian
architectures are better.
But given that RFC1510 documents the *Kerberos* standard, it would make
sense to make the convention be based on the historical standard of
Kerberos, which is why I want to require "all upper case". But if
that's going to cause massive problems for DCE users, the only thing we
can then do is live with the resulting confusion of allowing both
conventions. (This confusion could have been avoided if there had been
some closer collaboration from the start, but that's water under the
bridge now.)
However, if Kerberos is going to accept realm (cell) names using either
convention, DCE must also do so. The fact that DCE requires all lower
case by cannonicalizing the returned value from the dce_cf.db config
file means that users who want to do the right thing won't be able to,
and that's the bug which I hope will be fixed in DCE 1.2.
- Ted
