Re: Realms (DIGEST-MD5 and otherwise)

[Alexey Melnikov <Alexey.Melnikov@xxxxxxxxxxxxxxxxxxx>]

On 27 Aug 1999 18:54:13 -0400 Lawrence Greenfield <leg+@xxxxxxxxxxxxxx> 
wrote:

> Hi,
> 
> I've been thinking about multiple realms on servers a lot lately, and
> it would simplify implementations as well as users if we can impose
> some rules on valid realm strings.
> 
> I would propose that realms be DNS-style and should be in all
> uppercase letters (and implementations may be free to uppercase realms
> for the user).  This follows the conventions of Kerberos.  Allowing
> any arbitrary, case-sensitive string that users might have to type in
> is especially annoying.

I 100% agree with you.
BTW, I've raised this question during Minneapolis DIGEST lunch. 
Probably I haven't explain the problem clearly.

The only problem I see is that DIGEST-MD5 should be compatible with 
HTTP digest. The later allows to use any text string as realm (and I've
seen implementations that use such HTTP realms)

> Allowing @'s in realms is especially confusing, since it makes it
> hard for a server to refer to a user as user@REALM.

I will not argue about using '@' in realm, but I would suggest that 
realm may contain something like "group specifier". So the 
proposed syntax of realm would be 
[<group>.]<fqn>

> Could we add this restriction to DIGEST-MD5 and propose it as a
> guideline for future mechanisms?

Keeping in mind compatibility with HTTP this should be SHOULD, not MUST.
-------------------
Alexey Melnikov
mel@xxxxxxxxxxxxxxxxxxx

* This e-mail message was sent with Execmail V5.0 *