[AFS3-std] Re: Revised PTS authentication name mapping draft, call for review

Jeffrey Altman jaltman@your-file-system.com
Tue, 24 Aug 2010 14:10:34 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3D1420B76CCF5040C815ADDA
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

 On 8/24/2010 2:02 PM, Derrick Brashear wrote:
> I have again revised this draft based on feedback, and -03 is available=
=2E
>
> https://datatracker.ietf.org/doc/draft-brashear-afs3-pts-extended-names=
/
>
> I declined to abridge the explanatory text regarding AFS history at
> this time, as there is no suitable work to refer to at this time.
>
> Aside from that, I know of one outstanding issue, which in addition to
> any comment I would like to explicitly seek feedback on.
>
> One commenter (who I will allow to out themselves if they wish) says:
> "I'm still uneasy about requiring the rewriting of GSSAPI-obtained
> Kerberos names to use the Kerberos name type. If we believe that
> GSSAPI is the future, then I would prefer that we use the GSSAPI
> exported name for all GSSAPI mechanisms, rather than special casing
> Kerberos.
>
> If I am building a hypothetical AFS product which only supports
> GSSAPI, I'm not sure why I should be forced to have my server convert
> from GSSAPI to Kerberos v5 names, when I actually have no interest at
> all in the Kerberos v5 name.
>
> I think a better approach would be to require ptservers in cells which
> support multiple implementations of the same underlying security
> mechanism to perform the mapping. So, if you have a cell which
> supports both native Kerberos v5, and GSSAPI, then the ptserver should
> be responsible for mapping from the GSSAPI name to the Kerberos v5
> one, and vice versa."
>
> As long as we have chosen a single consistent mechanism for
> representing Kerberos 5 names there should not be an issue, and this
> proposal does so; As such I would be willing to incorporate it if
> consensus is behind it.

I support this change.  It is after all the PTS servers responsibility
to understand whether two names refer to the same PTS ID.  If the PTS
server wants to treat all existing Kerberos v4 names as automatically
having synonyms that are Kerberos v5 and GSS-KRB5 name forms, that is an
implementation detail.

Jeffrey Altman



--------------enig3D1420B76CCF5040C815ADDA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQIcBAEBAgAGBQJMdAscAAoJEPd6c1WStpoEafsP/09qYMnW0NXyoTACb6eP8chy
88xy/8jpMUG077NY62sBN/dRvEIal9vL6QDkxHc9HV0if0Q7ayldJrRjZLRODqVW
ENTR1l5Q1IMKcQwW+p5MXHOlyKNT/i9y7Q4YHf4hA4ooc91QfbhdXMO2xt2UIrGt
MMgHai9nEfmcLTsvaOg4O5P7kgcuYYYUt2qUBpqb+SoPUUOV0fhJSHHs7VZ33V03
rz3VKR2M9iK8hg36PtyviuS3uNKFk9XPVSbWTUpyVp72mOXjchRmeqYtwEQbdMGK
tZQ4I0NR7Jf70qUbkqkdBzzX2M6iP6gIjcmOapw6m5BL71P8QOiApnJofv5fk1VF
jUZ5Fj5/+qQgH/niIksnQoY8R+S9ohfCYcHIWODkXKii69LuHVBMeBunODuzolT2
IRdQ2fTd5aDQJYW2gl/t7MhCgTnC6E5cnWQL/SmRY0DIF/+coqHGxDqU3kYY/a0H
3jkHnEx5YaJf8akWEAhr83u//jjLZ4OIxSK0tBs/InMMr/JMw51FQsc/Kp24c4+9
dpOF3l0rRAY2SuLPUVCJkyiXTmEJaEElAgJPZ6CgUa8x7AKX5ti36sTyPmhAVMIR
+h6Ng3XmeFcYwKC7SXej6HIoejos2ximx1/XRY8zXMPBX8FiafbrKgeEGlbdF15v
8MEL4lJYO8AqFVJS9GSx
=KtUv
-----END PGP SIGNATURE-----

--------------enig3D1420B76CCF5040C815ADDA--