--On Saturday, August 13, 2005 11:06 PM +0100 Joe Orton
<[EMAIL PROTECTED]> wrote:
On Fri, Jul 22, 2005 at 08:25:50AM -0500, Christopher Mason wrote:
The question is: should an application canonicalize a hostname
entered by a user when forming the SPN?
Did you get any definitive off-neon-list answers to this,
Christopher?
It seems the answer is that you /shouldn't/ canonicalize, due to the
possible DNS MITM attack; you should instead have keys for each of
the host names that a user might enter.
Again, however, the majority of software that I've come across
(including MIT kerberos) /does/ in fact canonicalize (but, at least
in the case of MIT kerberos, this can be optionally disabled).
See here for details:
<http://mailman.mit.edu/pipermail/kerberos/2005-July/008167.html>
I gave up and just use the FQDN in URLs I give to neon.
-c
--
[ Christopher Mason MPRC Bioinformatics http://proteomics ]
_______________________________________________
neon mailing list
[email protected]
http://mailman.webdav.org/mailman/listinfo/neon
