WS-Security and GSS-API: How do I get the session key?
Goo
speedogoo at gmail.com
Mon Feb 23 19:05:33 EST 2009
> That said, I believe the MIT 1.7 release will include an API for extracting
> a session key if there is one, but no earlier release from MIT will, and I'm
> not sure how portable that API will be to other implementations.
Nice to hear that. Do you know if there's a alpha/beta version with
the new API? Also, is there any IETF draft extending RFC 2743?
Thanks
Speedo
On Tue, Feb 24, 2009 at 00:11, Ken Raeburn <raeburn at mit.edu> wrote:
> On Feb 23, 2009, at 04:39, Speedo wrote:
>>
>> I guess this issue had been discussed before: WS-Security negotiates
>> with Kerberos 5 but uses the session key in a different way from GSS
>> tokens. Since GSS-API is the public API to access Kerberos 5, is there
>> any recent progress in enhancing the GSS-API to provide a function
>> like gss_get_session_key()?
>
> I wouldn't say that "GSS-API is the public API to access Kerberos 5", though
> I think it's generally preferred that you write application *protocols* to
> GSS-API. (Which means, among other things, not assuming you can extract the
> session key and do with it what you like -- or even assuming that there is
> such a thing as a "session key".)
>
> If you write non-GSSAPI application protocols, there are still non-GSSAPI
> programming interfaces....
>
> That said, I believe the MIT 1.7 release will include an API for extracting
> a session key if there is one, but no earlier release from MIT will, and I'm
> not sure how portable that API will be to other implementations.
>
> Ken
>
More information about the Kerberos
mailing list