> coda/${coda-realm}@${KRB-REALM}
> 
> as you suggest.  (I made it a bit more explicit that the second 'coda'
> is a variable, not a literal.
> 
> Or perhaps
> 
> auth2/${coda-realm}@${KRB-REALM}

Hello Greg,

yes, auth2 (or codaauth2) seems appropriate.

Well, essentially it doesn't matter at all, just provide a principal
per coda realm, call it xyz1 or abc123, it will work as well,
no /something part is necessary either.

In fact we cannot dictate what the principal shall be called - as it is
a discretion of the Kerberos realm administrators, not Coda ones :)
We can suggest, not more.

> But this raises another issue as to whether in the glorious future of
> GSSAPI protected data traffic (rather than using krb5 to get auth2
> tokens) the coda servers (rather than auth2 servers) have per-machine
> principals.  That would make sense, from the principle of least
> privilege, so that servers can't sniff traffic from other servers.
> So in this case, we would use
> 
> coda/${fqdn-of-server}@${KRB-REALM}

I do not see a real connection between the issues.
It would be pretty different design (if any) and different Kerberos usage,
why would we call principals the same?

Cheers,
--
Ivan