On Mon, Mar 30, 2009 at 03:01:21PM -0500, Nicolas Williams wrote: > I believe that certificate extensions and Kerberos V authorization-data > could be used to ensure that the client and server both know the correct > "label encodings" for their shared DOIs.
Of course, this does nothing for deployments that don't use PKIX or Kerberos V. We can do something like this for all trusted third-party distributed authentication systems. But for simple pre-shared key (PSK) and simpler schemes (e.g., AUTH_SYS) there's nothing we can do: the client and server will have to agree on a DOI and label encodings a priori.
