[575] in Kerberos-V5-bugs
More Concerns Over The Case of The Realm Names
daemon@ATHENA.MIT.EDU (Clifford Neuman)
Sun Jul 10 12:44:21 1994
Date: Sun, 10 Jul 1994 09:43:44 -0700
From: Clifford Neuman <bcn@ISI.EDU>
To: gnu@cygnus.com, DEEngert@anl.gov
Cc: tytso@MIT.EDU, auth-pilot@es.net, krb5-bugs@MIT.EDU, gnu@cygnus.com
Oops... the first message your received got out before I was done with
it. Here it is again. I will respond to several queries at once here:
From: John Gilmore <gnu@cygnus.com>
Is there a good reason that realm names are defined to be
case-sensitive? We could avoid the entire debate by simply making
them case-insensitive, like host names or email addresses. (This has
a few problems in non-English alphabets, but with proper use of
toupper/tolower rather than "x^040", it is solvable.)
In the protocol, realm names must be case sensitive if we are to
support realm names based on naming mechanisms other than DNS, without
limiting it to only naming mechanisms where names were case
insensitive. Whereas it is almost trivial to map from case
insensitive names to a case sensitive name space (just canonicalize
the case), going in the other direction is really gross.
From: "Doug Engert" <DEEngert@anl.gov>
Most of us have defined realm names using lower case for the
cross realm testing using k5.es.net as the base. But it looks
like LLNL is using LLNL.K5.ES.NET as the realm.
I don't know what you mean by "most of us". In fact, I believe most
Kerberos realms are in upper case. Your community, which I believe to
be in the minority, chose lower case. As to the choice of upper case:
perhaps it would have been easier to type if the canonical case was
lower case, but the convention was established in V4, and most sites
should be able to convert from V4 to V5 without having to change their
realm name. Further, since the V5 KDC can be configured to respond to
both V5 and V4 requests this was even more important.
With respect to DCE realm names, my understanding is that their realm
names are not of the domain name variety even though derived from
domain names. In particular, they use slashes to separate components
and the order of the elements is reversed. The upper case convention
only applies to realm names of the domain name variety.
Since there was no compelling reason to change the convention when we
moved to V5, and now that most V5 sites (with the exception of your
community) follow the convention, there is still no compelling reason
to change. I'm sorry that we did not explicitly state the case of the
realm in the V5 RFC. Not doing so was an oversight and will be
corrected in the eratta document. Upper case realm names are the ONLY
appropriate clarification since all examples of real realm names in
the RFC are upper case and it would cause even greater confusion to
change the convention (unfortunately, there is an example of a realm
name template where the variable elements are named in lower case).
I would like to see the realm name be considered case sensitive,
but with the convention being to use lower case for domain name
style realm names, and have hst_realm.c convert a domain name to
lower case. ( I know this may be considered a major change, but
in the long run, it will make things easier.)
I'm sorry, but for the reasons described above, we can not change the
convention. Again, I apologize for not specifying the case of the
realm name in the RFC.
As to the desire of users to type lower case names, Ted's response was
correct in that the user interface can perform the conversion in those
cases where only one realm is known that matches what was typed by the
use user when performing a case insensitive comparison. In any event,
the only the the use should need to type a realm name is when running
kinit. Realm names for hosts should be derived from the host name in
the majority of cases, with exceptions taken from the krb.conf file,
or some secure distributed alternative.
With respect to using DNS or other directory services to replace the
krb.conf file, that is appropriate. The mapping from realm names to
the Kerberos server for the realm is not security critical. It would
not be appropriate to use an unprotected network service to replace
the krb.realms file, though, for the reason Ted already described.
In any event, lets put the case issue to rest. Realm names MUST
remain case sensitive. As to which case should be canonical, some set
of sites will have to change. Given that there is no compelling
technical reason to choose one over the other, and given that V4, and
the MIT V5 reference implementations use upper case, and given that
all examples of real domain style realm names in the RFC are
uppercase, upper case will remain the convention.
Cross realm authentication with sites using lower case will work, but
the tree walking heuristics might not. My advice to sites using the
lower case convention is to convert as soon as practical, since it
should be easier to do so sooner, rather than later.
Clifford Neuman
