[AFS3-std] Re: PTS authentication name mapping draft,
second call for review
Russ Allbery
rra@stanford.edu
Mon, 04 Jan 2010 18:28:54 -0800
Jeffrey Hutzelman <jhutz@cmu.edu> writes:
> Simon Wilkinson <simon@sxw.org.uk> wrote:
>> *) It isn't particularly extensible, because we have no change
>> control over GSSAPI. What happens if (unlikely) a Kerberos 4 GSSAPI
>> mechanism is standardised?
> Unlikely, and growing more so by the moment. But if it happened, we'd
> have to decide whether it's more important for GSS-krb4 to match
> existing krb4 auth names in the PRDB, or for nothing to have to know
> about the correspondence.
>> What happens if we add an explicit X509 mechanism?
> Don't do that.
I might be missing some context here, but that makes me very nervous. I
think it's extremely likely that we're going to have sites who want to use
an X.509 mechanism for authentication that is not mediated by Kerberos.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>