Is there a list of characters allowed to define a principal name andrealm? - Kerberos

This is a discussion on Is there a list of characters allowed to define a principal name andrealm? - Kerberos ; Hola.. I'm defining some documentation of this two terms (principal name and realm). And I'm wondering if there is any special characters allowed to define a principal name and realm name ? I know that the valid characters are case ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Is there a list of characters allowed to define a principal name andrealm?

  1. Is there a list of characters allowed to define a principal name andrealm?

    Hola..

    I'm defining some documentation of this two terms (principal name and
    realm). And I'm wondering if there is any special characters allowed to
    define a principal name and realm name ?

    I know that the valid characters are case sensitive and include all
    alpha-numeric characters (a-z, A-Z, 0-9). but I need to know if there are
    more special characters that need to be considered.

    Thanks in advance.


    * Carpe diem
    Julio Cesar Parra Uribe IBMMX(JCPARRA)
    E-mail: jcparra@mx1.ibm.com
    T/L 877-2535 Ext phone: (5233)3669-7000 Ext. 2535
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Is there a list of characters allowed to define a principal nameand realm?

    On Jun 27, 2006, at 18:01, Julio Cesar Parra/Mexico/IBM wrote:
    > Hola..
    >
    > I'm defining some documentation of this two terms (principal name and
    > realm). And I'm wondering if there is any special characters
    > allowed to
    > define a principal name and realm name ?


    Oh, what a fun question, one we've had problems with before.

    The first two answers I heard people here tossing around when your
    email came in were:
    "You don't want to know."
    "Z, 4, Q, Q, Q, and the batman symbol"

    More seriously:

    Some early implementations just used whatever byte values they were
    passed, making it implementation- and locale-dependent, resulting in
    interoperability issues.

    For portability, I think the right answer is "if you use anything
    outside of US-ASCII minus control characters, you're likely to hurt
    yourself or your users", and RFC 4120's specifications and
    recommendations are based on that. We intend to move to UTF-8 in the
    future, but the wire encoding will be different from the current one.

    For domain-style realm names (AFAIK the only kind in widespread use
    currently), look up the specs on naming entries in the domain name
    system. But steer away from internationalized names and IDN -- I
    suspect the eventual answer is going to be to use a UTF-8 encoding
    (again, in a newer spec) of the internationalized domain/realm name,
    not the IDN encoding. I could be wrong.

    > I know that the valid characters are case sensitive and include all
    > alpha-numeric characters (a-z, A-Z, 0-9). but I need to know if
    > there are
    > more special characters that need to be considered.


    ASCII punctuation, space, etc. They're uncommon (except for obvious
    ones like ".", "-", "_", and also "/" and "@" in normal printed
    form), but allowed.

    Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Is there a list of characters allowed to define a principal nameand realm?

    > To: kerberos@mit.edu
    > Subject: Is there a list of characters allowed to define a principal name and
    > realm?
    > From: Julio Cesar Parra/Mexico/IBM
    > Message-ID:
    > Date: Tue, 27 Jun 2006 17:01:13 -0500
    >
    > Hola..
    >
    > I'm defining some documentation of this two terms (principal name and
    > realm). And I'm wondering if there is any special characters allowed to
    > define a principal name and realm name ?
    >
    > I know that the valid characters are case sensitive and include all
    > alpha-numeric characters (a-z, A-Z, 0-9). but I need to know if there are
    > more special characters that need to be considered.
    >
    > Thanks in advance.
    >
    >
    > * Carpe diem
    > Julio Cesar Parra Uribe IBMMX(JCPARRA)
    > E-mail: jcparra@mx1.ibm.com
    > T/L 877-2535 Ext phone: (5233)3669-7000 Ext. 2535
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    As far as I can tell, the kerberos source (mit and heimdal)
    tries very hard to support "any printable ascii character",
    or very nearly, "any ascii character".
    When converting to/from printable form, krb5_parse_name
    and krb5_unparse_name recognize these as special:
    @ - start realm
    / - delimit name components
    \ - escape next character:
    \@ - embed @ in name or realm component
    \/ - embed / in name or realm component
    \0 - embed NUL
    \n - embed newline
    \t - embed tab
    \b - embed backspace
    \Z - embed Z (anything but 0ntb) in name or realm. (but
    for identity mapped characters, only
    space \ @ and / are escaped on output.)
    note: this means \v \r \f \x20 \177 not same as C.
    There's an expectation (depending on configuration) that the realm name
    might be looked up in DNS.

    I believe shishi doesn't handle \0 \n \r \t \b .

    RFC 4120 requires IA5String support, but flat out forbids \0 in realms,
    and for other control characters says "SHOULD NOT" be used in principal
    or realm names. There are additional constraints on realm names;
    the use of : or / in the realm indicates special behavior.

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Is there a list of characters allowed to define a principal name and realm?

    On Tue, 27 Jun 2006 18:38:47 -0400, Ken Raeburn wrote:

    > For portability, I think the right answer is "if you use anything outside
    > of US-ASCII minus control characters, you're likely to hurt yourself or
    > your users", and RFC 4120's specifications and recommendations are based
    > on that. We intend to move to UTF-8 in the future, but the wire encoding
    > will be different from the current one.


    As far as I know Windows 2K3 already accepts utf8 characters in their
    strings. None of the MIT krb5 libraries does any multibyte handling which
    means that utf8 passes through them relatively cleanly (I've used this
    in the Samba code to allow utf8 logon names to be used within Samba+krb5).

    Jeremy.

  5. Re: Is there a list of characters allowed to define a principalname and realm?

    On Jun 27, 2006, at 19:29, Jeremy Allison wrote:
    > On Tue, 27 Jun 2006 18:38:47 -0400, Ken Raeburn wrote:
    >> For portability, I think the right answer is "if you use anything
    >> outside
    >> of US-ASCII minus control characters, you're likely to hurt
    >> yourself or
    >> your users", and RFC 4120's specifications and recommendations are
    >> based
    >> on that. We intend to move to UTF-8 in the future, but the wire
    >> encoding
    >> will be different from the current one.

    >
    > As far as I know Windows 2K3 already accepts utf8 characters in their
    > strings. None of the MIT krb5 libraries does any multibyte handling
    > which
    > means that utf8 passes through them relatively cleanly (I've used this
    > in the Samba code to allow utf8 logon names to be used within Samba
    > +krb5).


    Right. And if you try to use the MIT programs in an ISO-8859-1
    environment with the same characters, things will fail, because the
    encoding will be different.

    (Windows is violating the spec in doing this, of course.)

    Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread