On Mon, Mar 01, 2010 at 12:41:55PM -0500, Sam Hartman wrote:
> Nicolas> In some ways it seems to me that the realm of the host is
> Nicolas> completely irrelevant in this case since the host is not
> Nicolas> participating directly in a Kerberos relam.
>
> I disagree.
I agree with your disagreement. I was thinking about the GSS initiator
application, where it seemed to me that in the GSS-EAP case the
application probably doesn't care about the host's "realm". However, I
think both, the initiator application and the EAP server can both care
to authenticate the EAP proxy.
> Here's text from the draft:
>
> [Below, channel binding means EAP channel binding; it is clear from
> context in the draft.]
When EAP and GSS collide we really need to always clearly disambiguate
the use of "channel binding". I propose you say "EAP channel binding"
and "GSS channel binding" to properly distinguish them.
> You could argue that it's not actually the realm I care about so much as
> the identity of the server proxy. That's true, although I think for a
> lot of practical reasons, the realm is a good stand-in for that
> identity.
I agree now.
> However, it sounds like we're in definite agreement that if there is a
> name form that includes service name, host name and administrative realm
> verifying validity of host name, that name form is most definitely not a
> domain-based name.
Definitely.
Note that in my conception of name attributes the "realm" is really an
"issuer" of credentials. I find this to be a very useful way to think
about principal naming.
Nico
--
|