Session key extraction
Luke Howard
lukeh at padl.com
Tue Dec 23 22:11:10 EST 2008
On 24/12/2008, at 1:15 PM, Nicolas Williams wrote:
> On Wed, Dec 24, 2008 at 09:37:10AM +1100, Luke Howard wrote:
>>> Also, there's the question of what base OIDs to use.
>>
>> True, currently they're under the PADL arc but I will change this.
>
> Why change it? I don't care what the prefix as is. What I care about
> is that the assignments be made by someone with authority to use the
> given prefix(es).
Well, I have the authority for PADL. I can change it back if Sam can't
arrange registration under the Kerberos arc.
>>>> All mechanism-specific APIs in GSS-API have been re-implemented in
>>>> terms of these to avoid abstraction violations.
>>>
>>> I'm not sure I understand.
>>
>> The current MIT code exposes the mechglue context layout to the
>> Kerberos mechanism. This is an abstraction violation and will not
>> work
>> with stacked mechanisms. Look, for example, at
>> gss_krb5_get_tkt_flags() in krb5_gss_glue.c.
>
> Any chance to fix this? Will MIT adopt Solaris' mechglue? (Solaris'
> needs some cleanup, but on the whole is pretty good.)
It's fixed now in mskrb-integ.
I thought the MIT mechglue was based on Sun's? I pulled in some more
changes from the original Sun drop, too (to support dynamic loading,
gss_mechanism_ext, etc). Is there anything else you require?
-- Luke
More information about the krbdev
mailing list