krb5_gss_acquire_cred() vs multiple credential caches
Jeffrey Altman
jaltman at secure-endpoints.com
Mon Feb 12 11:39:33 EST 2007
Sam Hartman wrote:
> So, isn't this why CCAPI has the concept of a system default cache?
>
> I'm concerned that it sounds like you are diverging from the KFM (and
> thus eventually KIM) behavior for no reason.
>
> --Sam
The system default ccache can only refer to a single ccache and
therefore a single identity. If the user is maintaining credentials for
multiple identities, only one of them can be the default at any one
time. If the user suspends their laptop and all of the credentials
expire, we don't change the notion of the default ccache simply because
an application that requires credentials for a non-default ccache
happens to look for credentials first. Doing so would only result in
confusion and possible misuse of credentials.
When KIM is available, it will be used. In the meantime, KFW attempts
to do what the user asked for without the benefit of identity selection
logic that KIM will provide.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070212/dd4e98d8/attachment.bin
More information about the krbdev
mailing list