[AFS3-std] Revised PTS authentication name mapping draft, call
for review
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 12 May 2010 15:44:08 -0400
--On Tuesday, April 20, 2010 05:27:59 PM -0400 Derrick Brashear
<shadow@gmail.com> wrote:
> https://datatracker.ietf.org/doc/draft-brashear-afs3-pts-extended-names/
Section 3:
> Because of this, PTS authentication names take the
> format of a Kerberos 4 authentication name.
Well, not really. They take a form similar to that conventionally used for
writing Kerberos 4 principal names as strings, with the realm (cell) name
omitted when it is the same as the local realm (i.e. almost always).
This is interesting because it suggests obvious algorithmic mappings to PTS
names from krb4 and many krb5 principal names, but we don't want to give
the impression that we're mapping everything to krb4, when in fact we're
mapping everything to strings.
Section 4 is redundant and should be removed entirely.
Section 8.1:
> A client with knowledge of the GSSAPI mechanism MAY import
> the data portion and use it to generate a display name.
but there's no mention of a GSS-API mechanism here, and in fact such
mechanisms comprise only one of the possible types. I suggest instead:
] A client with knowledge of the particular name type used MAY
] use the data portion to derive a suitable display name, if none
] is provided.
Section 8.3:
I suggest removing any mention of "bit streams", which simply creates
confusion about bit and byte order. This operation does not return a bit
stream; it returns a vector of 32-bit integers, of which only the first
currently has defined structure and meaning.
Section 8.4.1:
> For each authname provided in alist, an AFS ID will be provided in
> list at the corresponding position.
s/list/ilist/
Section 8.4.2:
Same change as for 8.4.1. Also:
> Where an authentication name cannot be looked up
How about "where neither an explicit nor implicit mapping is available..."
Finally, did I mention I hate this RPC name?
Not that I have a better one in mind...
Section 8.4.4:
s/the current the current/the current/
Section 9:
This section is non-normative. I suggest s/required/needed/g in the first
paragraph, to avoid any confusion with RFC2119 requirements language.
Section 11.3:
Depending on where it came from, a GSS-API name may need to be
canonicalized by use of GSS_Canonicalize_name() before it can be exported.
I'm not sure whether it's worth saying anything about this here, but folks
not familiar with GSS-API may not realize that import+export may not do the
right thing, while import+canonicalize+export always will.
-- Jeff