[AFS3-std] Re: PTS authentication name mapping draft, second call for review

Simon Wilkinson simon@sxw.org.uk
Tue, 5 Jan 2010 08:26:39 +0000


On 5 Jan 2010, at 02:28, Russ Allbery wrote:

> I might be missing some context here, but that makes me very  
> nervous.  I
> think it's extremely likely that we're going to have sites who want  
> to use
> an X.509 mechanism for authentication that is not mediated by  
> Kerberos.

rxgk will support doing x509 as a GSSAPI mechanism using (at least)  
the GGF's GSI, in the same way as OpenSSH does. As other GSSAPI based  
X509 mechanisms become available, we'll support those too.

My worry was that Derrick's draft essentially says that you can only  
use a single canonical format for a name, and that it's the client's  
responsibility to determine that canonical name before talking to the  
prdb. I believe that this is problematic, as it requires that all  
clients know about all of the authentication mechanisms supported  
within a cell, and the correspondence between those mechanisms. It  
means that it's possible that the behaviour of prdb entries will vary  
depending on which piece of software created them.

S.