Windows CCAPI design sketch

Alexandra Ellwood lxs at MIT.EDU
Wed Jan 30 15:12:34 EST 2008 

On Jan 30, 2008, at 2:25 PM, Jeffrey Altman wrote:

> Alexandra Ellwood wrote:
>>
>> On Jan 30, 2008, at 12:53 PM, Jeffrey Altman wrote:
>>
>>>>
>>>> CCAPI v2 is deprecated.  All CCAPI v2 functions return errors  
>>>> when called.
>>> This decision is going to cause problems for all currently  
>>> deployed applications which support the use of multiple credential  
>>> caches.  These applications use the CCAPIv2 to enumerate the  
>>> available credential caches in order to determine which caches are  
>>> available.   There has been no other interface for them to use.   
>>> By failing to implement CCAPIv2 on top of the new implementation  
>>> there will be no transition mechanism for organizations to use  
>>> when upgrading to KFW 4.0 and CCAPIv7.
>>>>
>>
>>
>> I'm aware that the CCAPI v3 was never shipped on Windows.  I made  
>> this decision based on several factors:
>>
>> 1) Statements made in meetings last fall that Secure Endpoints did  
>> not believe any third party Windows applications were using the  
>> CCAPI and that it should become an internal API on all platforms  
>> (with callers using the krb5_ccol_* and krb5_cc_* APIs instead).   
>> As a result I operated under the assumption that all existing  
>> callers were part the KfW product and could be modified to use the  
>> CCAPI v3 in the next release containing the new CCAPI implementation.
> I never said that there were no third parties do not use CCAPI.   
> CCAPI has been used directly by applications going as far back as I  
> have been working with KFW.  I used CCAPI in Kermit 95 back in 1998.


That is not what I remember from meetings so clearly there was some  
sort of misunderstanding.  Unfortunately being primarily a Mac and  
Unix developer I know nothing about the Windows platform or any of its  
history.  I've been going on what information I could glean from  
looking at sources and comments in meetings while trying to make  
aggressive vendor deadlines for the KfM product.


Misunderstandings aside, we actually do need CCAPI v2 functionality  
for Windows.  Which brings me to my original conclusion:

>>
>> However it is still possible to implement a shim layer between the  
>> CCAPI v2 and CCAPI v3+.  I believe 1-2 new IPC calls are needed for  
>> the iterators but that shouldn't be too hard.  If someone is  
>> interested in submitting patches which implement these changes we  
>> would be happy to review and integrate them.
>


So my question is: who is going to do the work?

Mac OS X and Unix don't need any CCAPI v2 support since Mac OS X  
deprecated and removed the functionality for Leopard and Unix has  
never had the functionality.  In fact at this point KfM can't actually  
be able to take patches to make CCAPI v2 work so we'll have to have a  
build-time flag to turn on the "CC_NO_SUPP" behavior.


--lxs

Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>

More information about the kfwdev mailing list