Non-default Quality of Protection?

Tomas Kuthan tomas.kuthan at
Tue Nov 12 04:42:31 EST 2013

Hi all,

I am confuzzled about usefulness of the QOP concept in GSS-API.

RFC 2743 states, that using non-default QOP is a mechanism specific, 
non-portable construct.
RFC 4121 says, that applications using different QOP than default are 
not guaranteed portability and interoperability. It also says, that 
encryption and checksum algorithms in per-message tokens are implicitly 
defined by the algorithms associated with the session key or subkey and 
that using different algorithm than the one for which the key is defined 
may not be appropriate.

This gives me the impression, that using non-default QOPs is discouraged 
and that the whole Quality of Protection concept is somewhat obsolete. 
Is that so?

Do you know of a use-case (real life or hypothetical) for non-default 
QOP with Kerberos GSS-API mechanism?

Does any other GSS-API mechanism make use of non-default QOPs?


More information about the Kerberos mailing list