Nicolas Williams wrote:
>
> > name1 = gss_import_name("some printable name")
> > ctx = gss_init_sec_context(target_name=name1)
> > name2 = gss_inquire_context(target_name)
> >
> >
> > GSS-API does *NOT* require that the name that gss_inquire_context()
> > returns (visualized via gss_display_name()) looks character for character
> > like the name that was passed to gss_import_name().
> >
> > What GSS-API v1 and v2 require is that gss_compare_name(name1,name2)
> > will return TRUE when name1 was the input of gss_init_sec_context() and
> > name2 was the output of gss_inquire_context().
> >
> > What GSS-API v2 additionally requires is that
> > (1) gss_export_name(gss_canonicalize_name(name1)) results in the same binary
> > blob as (2) gss_export_name(name2), simply because (1) will be used
> > to (pre-)populate a access control list and (2) will be used to match
> > authenticated users against that access control list.
>
> We've had this argument before. We continue to disagree. I think we'll
> have to leave it at that for now. I cannot spare the resources at this
> moment and for the short-term to have this argument again. We may have
> this argument again later though.
>
> As a reminder, my position is:
>
> - RFC2743 does not say this
Those who can read have an advantage.
Go an reread rfc-2743 Section 1.1.5: Naming
It's a very detailed and explicit requirement!
-Martin
-++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server. If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe ietf-cat-wg" to [EMAIL PROTECTED]
