On 22/09/2012, at 3:08 PM, Sam Hartman <[email protected]> wrote:
> Jim proposed that acceptors echo back their name rather than simply > relying on the name match in channel bindings. Your recommended implementation strategy (ignore realm if absent on either side) is easy to implement, no problem there. In the case of hostname (or more generally, SPN) aliases, then the initiator will fail if the acceptor returns its canonical service principal name, because it has no way of validating one against the other (a simple comparison may fail and the canonicalisation logic belongs on the server side). (Historical anecdote: between W2K and W2K3 Microsoft changed the behaviour of the canonicalize KDC option in a TGS-REQ so that it would effectively be ignored, i.e. not canonicalize the service principal name in the response.) -- Luke _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
