headers
Durbin_Ron | 6 Jul 2006 00:44

RFC4210 and Uppercase realm names


Can someone in the group give me some insite to answer the following
questions?

Has the practice of forcing Kerberos realm names to upper case, become the
defacto standard?
Is this why the recommendation language was added to 4120?

6.1.  Realm Names

...

   Kerberos realm names are case sensitive.  Realm names that differ
   only in the case of the characters are not equivalent.  There are
   presently three styles of realm names: domain, X500, and other.
   Examples of each style follow:

        domain:   ATHENA.MIT.EDU
          X500:   C=US/O=OSF
         other:   NAMETYPE:rest/of.name=without-restrictions

   Domain style realm names MUST look like domain names: they consist of
   components separated by periods (.) and they contain neither colons
   (:) nor slashes (/).  Though domain names themselves are case
   insensitive, in order for realms to match, the case must match as
   well.  When establishing a new realm name based on an internet domain
   name it is recommended by convention that the characters be converted
   to uppercase.

7.2.3.1.  DNS vs. Kerberos: Case Sensitivity of Realm Names
(Continue reading)

Permalink | Reply |
headers
Nicolas Williams | 6 Jul 2006 20:17
Picon

Re: RFC4210 and Uppercase realm names

On Wed, Jul 05, 2006 at 06:44:09PM -0400, Durbin_Ron <at> emc.com wrote:
> Has the practice of forcing Kerberos realm names to upper case, become the
> defacto standard?

Yes.

> Is this why the recommendation language was added to 4120?

Yes.

Keep in mind that this will likely change for non-US-ASCII realm names
when Kerberos V protocol internationalization is done.  In the mean time
don't use non-US-ASCII realm names.
Permalink | Reply |
headers
Marcus Watts | 6 Jul 2006 01:08
Picon

Re: RFC4210 and Uppercase realm names

Durbin_Ron <at> emc.com writes:
> Can someone in the group give me some insite to answer the following
> questions?
> 
> Has the practice of forcing Kerberos realm names to upper case, become =
> the
> defacto standard?
> Is this why the recommendation language was added to 4120?
...

It was *always* the defacto standard that kerberos realm names
were uppper-case.

I think originally this was because MIT by convention had used
upper-case in their realm name -- presumably this was something
they had inherited from the early days of the arpanet and before
that upper-case computing technology from the likes of IBM and DEC.
Or maybe it's just because MIT (also DEC and IBM) are TLAs.

The most distinctive non-MIT kerberos 4 implementation was
AFS.  It was programmed to have lower-case cell names, upper-case
realm names, and included two features you see today in kerberos 5;
preauthentication, and including the realm in the salt used for
the string to key conversion.  That meant that the case of the realm
was a pretty wired-in decision.  It also meant the software upper-cased
the realm internally, but lower-cased it whenever you saw it, so it was
easy to miss the significance of the decision to force upper-case.

There wasn't any wording originally about which case realm names should
use.  And, of course, the original MIT code didn't actually break too
(Continue reading)

Permalink | Reply |
headers
Russ Allbery | 6 Jul 2006 05:33
Picon
Favicon
Gravatar

Re: RFC4210 and Uppercase realm names

Marcus Watts <mdw <at> umich.edu> writes:

> Somehow Stanford ended up with a lower-case realm -- I'm not quite clear
> if that's just something they did initially or if they decided to do
> this as part of their K4 to K5 migration process.

When we started constructing our K5 realm, we picked a lowercase realm
name since that's how users were used to typing their e-mail addresses and
since K5 was case-sensitive, we thought it might save user confusion in
things like .k5login files.

> However, the conclusion that came out of their experience is that
> lower-case K5 realm names is just a bad idea, hence the language you see
> in 4120.

Basically, everything works but all the defaults are wrong, so you often
end up being stuck with requiring krb5.conf files or other types of manual
configuration in places where things would otherwise just work.

--

-- 
Russ Allbery (rra <at> stanford.edu)             <http://www.eyrie.org/~eagle/>
Permalink | Reply |

Gmane