>>>>> "Donn" == Donn Cave <[EMAIL PROTECTED]> writes:
Donn> An LDAP service certainly should have its own key, but in my
Donn> opinion this should actually be a run time option. LDAP
Donn> services aren't really a distinct category. You might run
Donn> several LDAP services on the same host whose data and access
Donn> controls are completely different, and that's what you would
Donn> like to base the service principals on, not the technicality
Donn> of the protocol. But you might also run two that are
Donn> essentially identical, but on separate service ports for
Donn> testing, so it isn't ideal to just incorporate the service
Donn> port in the service principal to accomplish this (don't
Donn> laugh! I believe there are implementations that do exactly
Donn> that.)
The problem is that you need a secure mechanism to tell the client
what principal to authenticate against. Specifying that in the
protocol document is a great way to make sure it is securely known.
