[14624] in Kerberos
Principal naming.
daemon@ATHENA.MIT.EDU (asr@ufl.edu)
Thu Jul 5 08:20:43 2001
Message-Id: <200107051218.f65CIHX10516@smtp.ufl.edu>
To: kerberos@mit.edu
From: asr@ufl.edu
Reply-To: "Allen S. Rout" <asr@ufl.edu>
Date: Thu, 05 Jul 2001 08:18:17 -0400
Greetings, all.
We're re-examining how we name some special-purpose administrative principals
here at UF, and wanted to evoke some comments or experiences.
The docs seem clear that Kerberos 5 principals are:
component(/component)+@REALM
i.e. many components are possible.
Has anyone encountered interoperability issues with more than two components?
What are the circumstances in which other organizations have used these longer
principals?
We're contemplating using three segments to let us express:
group1/APPLICATION/application-name
to permit differentiation between the domain of application names and some
other set of names we haven't thought of yet.
We'd considered something like
group_application/APPLICATION
to parallel foo.bar.com/host
but are currently thinking that, if we want to put in all three of those
tokens we should use the '/' delimiter.
Opinions?
- Allen S. Rout
