appl/simple/client/sim_client.c uses internal APIs
Sam Hartman
hartmans at suchdamage.org
Fri Feb 24 18:23:39 EST 2023
>>>>> "Ken" == Ken Hornstein via Kerberos <kerberos at mit.edu> writes:
Ken> I can't argue your preference, and I'll be the first to admit
Ken> that "simpler" can be subjective (although I would argue one
Ken> metric, "lines of code", the krb5 API would win). But let me
Ken> point out a few things:
Ken> - I alluded to this on the kitten list (and I know you replied
Ken> there but I didn't get to reply to it yet), but the issue of
Ken> multiple round trips is a concern. You point out that even
Ken> with SPNEGO you should have a single round trip most of the
Ken> time and that's a fair point, but this puts you in a tough spot
Ken> with the usage of GSS; you have to assume your GSS mechanism is
Ken> a single-trip and violate the API OR complicate your protocol
Ken> and implementation design and presume an unspecified number of
Ken> round trips. At least with the krb5 API you can definitively
Ken> design the protocol (and implementation) for a single round
Ken> trip.
As an alternative to the krb5 api, stick in the krb5 mechanism oid.
You can definitively design your protocol and implementation for a
single round trip by doing that.
You can have more code in common with applications that do support
multi-round-trip negotiations, while still getting your half or one
round trip.
--Sam
More information about the Kerberos
mailing list