On Tue, Jul 03, 2007 at 05:36:23PM -0500, Alec Kloss wrote: > On 2007-07-03 20:28, Joe Orton wrote: > > On Tue, Jul 03, 2007 at 08:41:32AM -0500, Alec Kloss wrote: > > > Can we be cautious about implementing DNS-based SPN canonicalization? > > > > How can it be avoided, though? If this is what the GSSAPI libraries do, > > then it's a de facto standard; changing it would be an interop problem. > > (as is being demonstrated by the behaviour of the SSPI implementation) > > I guess I'll show my spots, but I don't (or at least didn't) want > to get into a long discussion of c14n. I'm of the opinion the DNS > canonicalization is a disaster for security for reasons discussed > in email thread I mentioned.
I don't disagree that it's bad in principle. But as I said, the de facto standard is that clients are required to do canonicalisation for successful interop. I agree also that adding config options for this is would be just horrible. So the right thing to do seems to be to fix the neon SSPI code to work like GSSAPI in this respect, as Yves proposed - and patches for that are still welcome :) Regards, joe _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
