Session key extraction

Nicolas Williams Nicolas.Williams at
Tue Dec 23 21:15:51 EST 2008

On Wed, Dec 24, 2008 at 09:37:10AM +1100, Luke Howard wrote:
> >Also, there's the question of what base OIDs to use.
> True, currently they're under the PADL arc but I will change this.

Why change it?  I don't care what the prefix as is.  What I care about
is that the assignments be made by someone with authority to use the
given prefix(es).

> >>All mechanism-specific APIs in GSS-API have been re-implemented in
> >>terms of these to avoid abstraction violations.
> >
> >I'm not sure I understand.
> The current MIT code exposes the mechglue context layout to the  
> Kerberos mechanism. This is an abstraction violation and will not work  
> with stacked mechanisms. Look, for example, at  
> gss_krb5_get_tkt_flags() in krb5_gss_glue.c.

Any chance to fix this?  Will MIT adopt Solaris' mechglue?  (Solaris'
needs some cleanup, but on the whole is pretty good.)

> >>Two additional APIs are defined, gssspi_set_cred_option() (which sets
> >>an attribute on a credential) and gssspi_mech_invoke() (which is a
> >>catch-all context/credential-handle-less mechanism for invoking a
> >>mechanism-specific API).
> >
> >What's the 'spi' part of these names about?
> That was your suggestion :-) I believe the idea was that APIs tagged  
> with gssspi_ were to be called by mechanisms only.

Ah, OK, thanks!

More information about the krbdev mailing list