appl/simple/client/sim_client.c uses internal APIs

Russ Allbery eagle at eyrie.org
Fri Feb 24 18:23:01 EST 2023


Nico Williams <nico at cryptonector.com> writes:

> RFC 7546 exists.

Yes, I am well aware that this exists.  If you can read this and come away
thinking that the API that it describes is simpler than the krb5 API, I
really don't know what to say.  Perhaps GSSAPI reflects the way that you
think more closely, so it seems simpler to you.

I use GSSAPI for new code because it is a *better* API (or, more
precisely, a better *protocol*) that fixes various underlying issues and
has better defaults.  But it is not *simpler*; quite the opposite, it's
more tedious and annoying and weird, harder to debug because of the
imposition of the generic layer that has a tendency to get in the way of
understanding what's going on, and requires you think about both Kerberos
and GSS concepts at the same time when implementing a non-trivial
application instead of focusing only on Kerberos.

Just to take another example, GSSAPI introduces yet another identity
format and now you have to be aware of both the Kerberos identity and the
GSS identity, which are sort of the same but not always.

> I've written a fair amount of app code using krb5 and GSS APIs, and I
> strongly prefer GSS code.

Well, I have written some of that code myself, and I don't agree.

> It does pay a price, but if all you need is encrypted sessions, then
> it's simple.

I think we have very different definitions of simple.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list