appl/simple/client/sim_client.c uses internal APIs

Sam Hartman hartmans at suchdamage.org
Fri Feb 24 18:23:39 EST 2023


>>>>> "Ken" == Ken Hornstein via Kerberos <kerberos at mit.edu> writes:

    Ken> I can't argue your preference, and I'll be the first to admit
    Ken> that "simpler" can be subjective (although I would argue one
    Ken> metric, "lines of code", the krb5 API would win).  But let me
    Ken> point out a few things:

    Ken> - I alluded to this on the kitten list (and I know you replied
    Ken> there but I didn't get to reply to it yet), but the issue of
    Ken> multiple round trips is a concern.  You point out that even
    Ken> with SPNEGO you should have a single round trip most of the
    Ken> time and that's a fair point, but this puts you in a tough spot
    Ken> with the usage of GSS; you have to assume your GSS mechanism is
    Ken> a single-trip and violate the API OR complicate your protocol
    Ken> and implementation design and presume an unspecified number of
    Ken> round trips.  At least with the krb5 API you can definitively
    Ken> design the protocol (and implementation) for a single round
    Ken> trip.

As an alternative to the krb5 api, stick in the krb5 mechanism oid.
You can definitively design your protocol and implementation for a
single round trip by doing that.
You can have more code in common with applications that do support
multi-round-trip negotiations, while still getting your half or one
round trip.

--Sam


More information about the Kerberos mailing list