Ken Hornstein wrote: >> become the same string. In order to prevent "joe.admin" from becoming >> the administrative identity "joe/admin" we disable support for dots in >> Kerberos v5 principal names. > > And yet somehow this isn't an issue when you use the 524 translator. > > --Ken
It most definitely is an issue. I wish I were a fly on the wall when that discussion was taking place. You are correct that the krb524d does permit this overlap. However, the correct long term change is to add native Kerberos v5 name type support to AFS. We have the design, it just needs to be implemented. Perhaps in the meantime we should add a command line switch --permit-dotted-krb5-names Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
