>>>>> "Cantor," == Cantor, Scott <[log in to unmask]> writes:

    Cantor,> On 2/28/14, 10:38 AM, "Cantor, Scott" <[log in to unmask]> wrote:
    >> 
    >> No, that's not the relevant issue, I'm talking about GSS-API,
    >> which is not specific to ABFAB. The only standard application
    >> interface to a user identity is the GSS initiator name. If
    >> extension naming attributes are to be used, then there has to be
    >> a standard one that is intended to hold the user identity for
    >> apps like SSH.

    Cantor,> Or, of course, you convince every app to support fully
    Cantor,> mappable user identity lookup into arbitrary naming
    Cantor,> extensions. But I don't think that's likely to fly as well
    Cantor,> as defining the equivalent of REMOTE_USER.

There are two widely implemented interfaces here.  One of them is not
standardized, but I'm not sure I see why that's a problem in practice.

1) the GSS-API username.  That's supposed to be some global identifier
in the scope of the authentication mechanism if present.

2) The authorization name (gss_localname  and the local-login-user
attribute).

Applications would like it if there was only one name.  However in
enterprise and authorization contexts, that just doesn't work.  We do
provide consistent mechanism-independent interfaces for requesting these
two names.

If I understand Scott's concern, I believe the above is responsive.
I understand Scott would like local-login-user to be standardized
somewhere.
In principle, I agree that would be desirable, but think it is unlikely
to have a practical effect.