Kerberos has limited handling for non-ASCII characters which limits us in host and domain names. Nalin tells me it supports iso-2022.
http://tools.ietf.org/html/draft-ietf-krb-wg-info-ascii-gen-string-00 contains:
Abstract:
To ensure future interoperability between existing deployments of Kerberos 5 (RFC 1510) and future standards efforts the Kerberos Working Group strongly recommends that users of Kerberos 5 implementations SHOULD NOT deploy Kerberos principal or service names that utilize characters not included in the 94 printable characters specified in the International Reference Version of ISO-646/ECMA-6 (aka U.S. ASCII).
It goes on to describe several methods to move to UTF-8.
Just for reference. The Windows KDC accepts UTF8 in principal names and that's how it handles internationalization. For the sake of compatibility (due to our trust support and all), we will probably have to do the same.
In a discussion with MIT, we came to the conclusion that changing the standard will probably be hard. However there was a sort of acceptance, if not consensus that using UTF8 here makes sense. So even though not technically standards compliant it seem like the only sane route we can take in order to support internationalized names.
Will raise question with MIT about whether libkrb5 will properly support transalting from punycode to utf8 or whether applications will have to do that.
As a side note, when implementing this, we should probably make sure strings are normalized (NFC form) at creation time. Some info about normalization here: http://en.wikipedia.org/wiki/Unicode_equivalence
Related: #3169.
Related: #4037.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.