[AFS3-std] Re: PTS authentication name mapping draft,
second call for review
Simon Wilkinson
simon@sxw.org.uk
Tue, 5 Jan 2010 08:26:39 +0000
On 5 Jan 2010, at 02:28, Russ Allbery wrote:
> I might be missing some context here, but that makes me very
> nervous. I
> think it's extremely likely that we're going to have sites who want
> to use
> an X.509 mechanism for authentication that is not mediated by
> Kerberos.
rxgk will support doing x509 as a GSSAPI mechanism using (at least)
the GGF's GSI, in the same way as OpenSSH does. As other GSSAPI based
X509 mechanisms become available, we'll support those too.
My worry was that Derrick's draft essentially says that you can only
use a single canonical format for a name, and that it's the client's
responsibility to determine that canonical name before talking to the
prdb. I believe that this is problematic, as it requires that all
clients know about all of the authentication mechanisms supported
within a cell, and the correspondence between those mechanisms. It
means that it's possible that the behaviour of prdb entries will vary
depending on which piece of software created them.
S.