So, you presented an alternate proposal that violated one of my constraints without describing what it offers that my proposal did not offer.
In particular, you propose changing the initiator. I don't like changing the initiator to support this use case because it's possible for an initiator to mis-implement the new functionality or if it is optional to choose not to implement it at all. Then you get initiators that work against some environments but not against high-infrastructure environments, which tend to be sensitive to working with as many initiators as possible. Also, I don't think the set of RP-side intermediates is the initiator's business at all. We don't tell the initiator what AAA proxies we use, so why should the initiator be involved in this? Finally, host-to-realm in clients has generally been regarded as a bad idea in Kerberos. If we had it to do over I would not support host-to-realm functionality in the clients. I don't support having that functionality in clients in a new protocol. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
