Alexey Melnikov <alexey.melnikov@xxxxxxxxx> writes:
Simon Josefsson wrote:
4.2. Context Token
[...]
The client calls GSS_Init_sec_context, passing in
input_context_handle of 0 (initially), mech_type of the GSSAPI
mechanism for which this SASL mechanism is registered, the
chan_binding is set to NULL, and targ_name equal to output_name from
GSS_Import_Name called with input_name_type of
GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
The GS1 has the note marker (*) after the "GSS_C_NT_HOSTBASED_SERVICE",
the note reads:
(*) - Clients MAY use name types other than
GSS_C_NT_HOSTBASED_SERVICE to import servers' acceptor names, but
only when they have a priori knowledge that the servers support
alternate name types. Otherwise clients MUST use
GSS_C_NT_HOSTBASED_SERVICE for importing acceptor names.
This is to address recent Nico's proposal to allow for domain based names.
I've added this.
Is something similar needed for the server side too?
I thinks something like (from GS1) is sufficient:
(**) - Use of server's principal names having
GSS_C_NT_HOSTBASED_SERVICE name type and "service@hostname" format,
where "service" is the service name specified in the protocol's
profile, is RECOMMENDED.
So basically this allows for other name types.
OK. I added the explanation for "hostname" and the reference to
GSS_Import_name, that were both lost, so the entire sentence now
reads:
<t>(**) - Use of server's principal names having
GSS_C_NT_HOSTBASED_SERVICE name type and "service@hostname"
format, where "service" is the service name specified in the
protocol's profile, and "hostname" is the fully qualified host
name of the server, is RECOMMENDED. The desired server name