Session key extraction
Nicolas.Williams at sun.com
Tue Dec 23 21:15:51 EST 2008
On Wed, Dec 24, 2008 at 09:37:10AM +1100, Luke Howard wrote:
> >Also, there's the question of what base OIDs to use.
> True, currently they're under the PADL arc but I will change this.
Why change it? I don't care what the prefix as is. What I care about
is that the assignments be made by someone with authority to use the
> >>All mechanism-specific APIs in GSS-API have been re-implemented in
> >>terms of these to avoid abstraction violations.
> >I'm not sure I understand.
> The current MIT code exposes the mechglue context layout to the
> Kerberos mechanism. This is an abstraction violation and will not work
> with stacked mechanisms. Look, for example, at
> gss_krb5_get_tkt_flags() in krb5_gss_glue.c.
Any chance to fix this? Will MIT adopt Solaris' mechglue? (Solaris'
needs some cleanup, but on the whole is pretty good.)
> >>Two additional APIs are defined, gssspi_set_cred_option() (which sets
> >>an attribute on a credential) and gssspi_mech_invoke() (which is a
> >>catch-all context/credential-handle-less mechanism for invoking a
> >>mechanism-specific API).
> >What's the 'spi' part of these names about?
> That was your suggestion :-) I believe the idea was that APIs tagged
> with gssspi_ were to be called by mechanisms only.
Ah, OK, thanks!
More information about the krbdev