[17308] in Kerberos_V5_Development
Re: Proposed Behavior change: don't fail when krb5_sname_to_principal
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Oct 14 15:23:11 2011
MIME-Version: 1.0
In-Reply-To: <tslhb3bbf7y.fsf@mit.edu>
Date: Fri, 14 Oct 2011 14:22:43 -0500
Message-ID: <CAK3OfOiThJh4bR4tiKMt=n=NEUxGK_2uQ-sUxa6jNjomwE676g@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>, Tom Yu <tlyu@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Fri, Oct 14, 2011 at 1:28 PM, Sam Hartman <hartmans@mit.edu> wrote:>>>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:> Tom> Is there any way to securely deal with multiple search domains?>> No, RFC 4120 tells you not to deal with multiple search domains.
No, RFC4120 says not to use DNS. It doesn't say to not use a searchlist, although a search list would have similar but less severe issues(thus it follows that RFC4120 discourages them too) but we couldextend the protocol to support secure unknown service principalerrors, which would solve that problem.
Unless your position is that soon we'll have DNSSEC everywhere, Idon't see how you could think it's better to keep the current DNScanonicalization scheme and not add an option for applying a searchlist instead. Search lists would definitely be a security improvementover DNS lookups as we do them today in MIT and Heimdal.
Nico--
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
