Session key extraction

Luke Howard lukeh at
Tue Dec 23 22:11:10 EST 2008

On 24/12/2008, at 1:15 PM, Nicolas Williams wrote:

> On Wed, Dec 24, 2008 at 09:37:10AM +1100, Luke Howard wrote:
>>> Also, there's the question of what base OIDs to use.
>> True, currently they're under the PADL arc but I will change this.
> Why change it?  I don't care what the prefix as is.  What I care about
> is that the assignments be made by someone with authority to use the
> given prefix(es).

Well, I have the authority for PADL. I can change it back if Sam can't  
arrange registration under the Kerberos arc.

>>>> All mechanism-specific APIs in GSS-API have been re-implemented in
>>>> terms of these to avoid abstraction violations.
>>> I'm not sure I understand.
>> The current MIT code exposes the mechglue context layout to the
>> Kerberos mechanism. This is an abstraction violation and will not  
>> work
>> with stacked mechanisms. Look, for example, at
>> gss_krb5_get_tkt_flags() in krb5_gss_glue.c.
> Any chance to fix this?  Will MIT adopt Solaris' mechglue?  (Solaris'
> needs some cleanup, but on the whole is pretty good.)

It's fixed now in mskrb-integ.

I thought the MIT mechglue was based on Sun's? I pulled in some more  
changes from the original Sun drop, too (to support dynamic loading,  
gss_mechanism_ext, etc). Is there anything else you require?

-- Luke

More information about the krbdev mailing list