[Adium-devl] server Kerberos principal names

Peter Saint-Andre stpeter at stpeter.im
Fri Jan 11 00:56:13 UTC 2008 

Ken Raeburn wrote:
> On Jan 10, 2008, at 14:32, Peter Saint-Andre wrote:
>> Ken Raeburn wrote:
>>> At first glance, I'm not sure how much it helps, though.  I've got  
>>> to  go back and re-read Nico's docs....
> 
> I found the piece I was missing.  It should do the trick, yeah.   
> (Though it'd be nicer if SASL supported domain-based names and Jabber  
> just used that, instead of making it specific to Kerberos, but,  
> whatever.)

Talk to the SASL WG about that. :)

>> However, the problem is large deployments with multiple connection  
>> managers. You're assigned to a particular connection manager by a  
>> load balancer. So you don't know if you'll end up with a physical  
>> connection (TCP socket) at us3.cm.xmpp.example.com or  
>> eu7.xmpp.example.com or whatever, and you need to know that  
>> specific hostname in order to get the right service principal name  
>> etc.
> 
> There are some possible arguments for using the JID domain instead of  
> the hostname, but like you say, this isn't the place to hash them  
> out.  And if the current XMPP specs say you use the name of the host  
> you connect to, whether configured by the user or looked up via SRV  
> RR, then that's what it says, and then I can tell which cases Adium  
> (or libpurple) is getting right and which it isn't, and fix the  
> latter.... Thanks.

The spec (RFC 3920) doesn't say that yet, or at least it is ambiguous. 
However I am in the process of updating RFC 3920 via an Internet-Draft 
(draft-saintandre-rfc3920bis) and that updated spec, when published, 
will cover this scenario (user-inputted hostname). With proper vetting 
by the IETF security mafia and all that...

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://adium.im/pipermail/devel_adium.im/attachments/20080110/bdcc9fb0/attachment.bin>

More information about the devel mailing list