In article <[EMAIL PROTECTED]>,
those who know me have no need of my name <[EMAIL PROTECTED]> wrote:
: <9m1qqa$jme$[EMAIL PROTECTED]> divulged:
:
: >Windows 2000 represents non-ASCII characters as UTF-8 strings
: >MIT and Heimdal represent them as 8-bit ISO-Latin1. Therefore,
: >this will not work.
:
: you could hack the source to use utf-8 encoding (horrible as that encoding
: is), but you'd have to be sure to update your entire domain, and
: cross-domain authentication would suffer.
:
: (and, hatefully enough, the microsoft method is the better of the two. it
: doesn't conform with the standards (such as they are) nor the deployed
: world (not that they've ever cared about that), so it shouldn't have been
: done as it was. but it is superior. don't agree? think of a domain that
: encompasses hosts in germany, israel, and japan, that doesn't wish to force
: any one area to use the string (language) conventions of the other.)
Actually, nobody adheres to the standard. Not MIT, not Heimdal, not
Microsoft. The RFC says that the principal name is a ASN.1 GeneralString
which means that all strings other than plain ASCII must be encoded
using ISO-2022 escape sequences. These are the same escape sequences
used to change between character sets in a DEC VTxxx terminal. None
of the Kerberos implementations implement ISO-2022. The MIT and Heimdal
implementations treat the ASN.1 GeneralString as an OctetString without
regard for character-set.
There is a serious discussion taking place about ways to handle this
problem. But for the time being until a universal approach is determined
I would seriously recommend restricting all user and host names to ASCII.
Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
[EMAIL PROTECTED] OpenSSL. SSH soon to follow.
