Mechanism extensions and the GSSAPI

Nicolas Williams Nicolas.Williams at
Wed Apr 28 16:57:08 EDT 2004

Excellent write-up.

I have a nit regarding the extensions-with-multiple-objects scenario:

 - Existing GSS APIs that deal with multiple objects are:

    - GSS_Acquire_cred()/GSS_Add_cred() already ensure that credentials
      are associated with names.

    - GSS_Init_sec_context()/GSS_Accept_sec_context() already ensure
      that security contexts are associated with credentials (one
      credential per-context; obviously the peer's credential is not
      associated directly).

 - I don't believe there are any case where we want extensions that take
   multiple GSS objects that wouldn't be covered by the existing API
   (see above), and if we did we could make a new generic API with
   corresponding SPI to handle the two objects.

Therefore I propose (drum-roll please): the IOCTL + shim-around-IOCTL
approach (to use your terminology).



More information about the krbdev mailing list