Connected: An Internet Encyclopedia
7.2. Principal Names

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1510
Up: 7. Naming Constraints
Prev: 7.1. Realm Names
Next: 7.2.1. Name of server principals

7.2. Principal Names

7.2. Principal Names

As was the case for realm names, conventions are needed to ensure that all agree on what information is implied by a principal name. The name-type field that is part of the principal name indicates the kind of information implied by the name. The name-type should be treated as a hint. Ignoring the name type, no two names can be the same (i.e., at least one of the components, or the realm, must be different). This constraint may be eliminated in the future. The following name types are defined:

      name-type      value   meaning
      NT-UNKNOWN       0     Name type not known
      NT-PRINCIPAL     1     Just the name of the principal as in
                             DCE, or for users
      NT-SRV-INST      2     Service and other unique instance (krbtgt)
      NT-SRV-HST       3     Service with host name as instance
                             (telnet, rcommands)
      NT-SRV-XHST      4     Service with host as remaining components
      NT-UID           5     Unique ID

When a name implies no information other than its uniqueness at a particular time the name type PRINCIPAL should be used. The principal name type should be used for users, and it might also be used for a unique server. If the name is a unique machine generated ID that is guaranteed never to be reassigned then the name type of UID should be used (note that it is generally a bad idea to reassign names of any type since stale entries might remain in access control lists). If the first component of a name identifies a service and the remaining components identify an instance of the service in a server specified manner, then the name type of SRV-INST should be used. An example of this name type is the Kerberos ticket-granting ticket which has a first component of krbtgt and a second component identifying the realm for which the ticket is valid.

If instance is a single component following the service name and the instance identifies the host on which the server is running, then the name type SRV-HST should be used. This type is typically used for Internet services such as telnet and the Berkeley R commands. If the separate components of the host name appear as successive components following the name of the service, then the name type SRVXHST should be used. This type might be used to identify servers on hosts with X.500 names where the slash (/) might otherwise be ambiguous.

A name type of UNKNOWN should be used when the form of the name is not known. When comparing names, a name of type UNKNOWN will match principals authenticated with names of any type. A principal authenticated with a name of type UNKNOWN, however, will only match other names of type UNKNOWN.

Names of any type with an initial component of "krbtgt" are reserved for the Kerberos ticket granting service. See section 8.2.3 for the form of such names.


Next: 7.2.1. Name of server principals

Connected: An Internet Encyclopedia
7.2. Principal Names