RRC and sign_only

Luke Howard lukeh at padl.com
Thu Dec 18 03:30:31 EST 2008

> It's now clear to me that Sam was talking about the lower-layer  
> crypto API,
> and at that layer, I agree it's entirely reasonable for some cases  
> not to
> support arbitrary RRC.  It's OK that some interfaces are not useful in
> constructing an RFC4121 implementation.

You can construct RFC4121 gss_unwrap() on top of gss_unwrap_iov(), as  
long as you use STREAM. Arbitrary RRC is accepted.

Indeed, should a mechanism provide gss_[un]wrap_iov() but not  
gss_[un]wrap(), the mechglue will synthesise the latter. I used this  
to test RFC4121 interoperability.


-- Luke

More information about the krbdev mailing list