[OpenAFS-devel] Kerberos v5 Principal Names containing dots in the first component

Russ Allbery rra@stanford.edu
Wed, 01 Aug 2007 13:20:27 -0700


Jeffrey Altman <jaltman@secure-endpoints.com> writes:

> The question therefore is which of the following should be done:

>    1. leave the code as it is and sites that wish to remove it can do so
>       by applying the patch locally
>    2. remove the code and sites that wish to add the check can do so by
>       applying the patch locally
>    3. conditionally execute the check by adding code to push command
>       line configuration down into the rxkad security class AND one of:
>          1. make the default be off
>          2. make the default be on

> At this point I am tempted to say 2 but would be willing to accept
> either of 3 provided that someone submitted an acceptable patch.

> Comments?

I mostly concur with you, but I'd be more comfortable with 2 if I felt
like we could clearly document this constraint somewhere where people
would actually see it.  And right now, the documentation that people would
be reading for an installation isn't easily updatable.

3-2 is the most conservative choice that still addresses the problem
(which I think is a significant one).

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>