On 5 Jan 2010, at 02:28, Russ Allbery wrote:
I might be missing some context here, but that makes me very nervous. I think it's extremely likely that we're going to have sites who want to use an X.509 mechanism for authentication that is not mediated by Kerberos.
rxgk will support doing x509 as a GSSAPI mechanism using (at least) the GGF's GSI, in the same way as OpenSSH does. As other GSSAPI based X509 mechanisms become available, we'll support those too.
My worry was that Derrick's draft essentially says that you can only use a single canonical format for a name, and that it's the client's responsibility to determine that canonical name before talking to the prdb. I believe that this is problematic, as it requires that all clients know about all of the authentication mechanisms supported within a cell, and the correspondence between those mechanisms. It means that it's possible that the behaviour of prdb entries will vary depending on which piece of software created them.
S. _______________________________________________ AFS3-standardization mailing list [email protected] http://michigan-openafs-lists.central.org/mailman/listinfo/afs3-standardization
