[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAI semantics (Re: #1047 Path field delimiters and syntax - status)

To: ietf-usefor@xxxxxxx
Subject: Re: NAI semantics (Re: #1047 Path field delimiters and syntax - status)
From: "Charles Lindsey" <chl@xxxxxxxxxxxxxxxx>
Date: Tue, 13 Sep 2005 11:23:16 GMT
List-archive: <http://www.imc.org/ietf-usefor/mail-archive/>
List-id: <ietf-usefor.imc.org>
List-unsubscribe: <mailto:ietf-usefor-request@imc.org?body=unsubscribe>
Newsgroups: local.usefor
References: <> <> <> <> <> <> <> <> <> <>
Sender: owner-ietf-usefor@xxxxxxxxxxxx
Xref: clerew local.usefor:22525

In <1663D67CF83125DFFB970862@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> Harald Tveit Alvestrand <harald@xxxxxxxxxxxxx> writes:

>[Changing subject - far off thread]

>No, it explicitly does not.
>I did not quote all of RFC 2486, but the document makes it very clear that 
>there is NO requirement for *anything* to be at this point in the DNS.

>The requirement for using foo.bar.example.com as a NAI is that you have a 
>"right to use" the name foo.bar.example.com in the DNS.
>This can be an agreement with the bar.example.com administrator, or an 
>agreement with the example.com administrator (if bar isn't administered 
>separately) - there's no need for anything in the DNS.

The problem with that is that a "right" which is only established by some
verbal or written agreement with some administrator cannot be verified
externally.

The wording in RFC 2486 is far from clear.

  Those wishing to use an NAI realm name should first acquire the rights
  to use the corresponding FQDN.

It does not define "rights". If the nameserver for example.com does not
contain an NS or SOA record for bar.example.com, then the "right" to
foo.bar.example.com remains with example.com. OTOH, if such an NS or SOA
record does exist, then the "right" belongs to whoever owns the nameserver
contained therein, which would presumably be bar.example.com.

  Using an NAI realm without ownership of the corresponding FQDN creates
  the possibility of conflict and therefore is to be discouraged.

Again, what does "ownership" mean, and how does it relate to "rights"?

  Note that the use of an FQDN as the realm name does not imply use of the
  DNS for location of the authentication server or for authentication
  routing.

Which indicates that you don't have to use the DNS to locate the NAI host
(indeed, the DNS may not contain that nformation). But it seems that you
still need the DNS, or some part of it, in order to establish those
"rights" or "ownership".

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl@xxxxxxxxxxxxxxxx      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

References:
- #1047 Path field delimiters and syntax - status
  - From: Harald Tveit Alvestrand
- Re: #1047 Path field delimiters and syntax - status
  - From: Harald Tveit Alvestrand
- Re: #1047 Path field delimiters and syntax - status
  - From: Charles Lindsey
- Re: #1047 Path field delimiters and syntax - status
  - From: Harald Tveit Alvestrand
- Re: #1047 Path field delimiters and syntax - status
  - From: Charles Lindsey
- Re: #1047 Path field delimiters and syntax - status
  - From: Kai Henningsen
- Re: #1047 Path field delimiters and syntax - status
  - From: Charles Lindsey
- Re: #1047 Path field delimiters and syntax - status
  - From: Harald Tveit Alvestrand
- Re: #1047 Path field delimiters and syntax - status
  - From: Charles Lindsey
- NAI semantics (Re: #1047 Path field delimiters and syntax - status)
  - From: Harald Tveit Alvestrand

Prev by Date: ADMIN: Final warning to John Stanley
Next by Date: Re: ADMIN: Final warning to John Stanley
Previous by thread: Re: NAI semantics
Next by thread: Re: #1047 Path field delimiters and syntax - status
Index(es):
- Date
- Thread