Nicolas.Williams at sun.com
Fri Aug 21 11:34:12 EDT 2009
On Fri, Aug 21, 2009 at 08:04:26AM +0200, Luke Howard wrote:
> On 20/08/2009, at 11:51 PM, Nicolas Williams wrote:
> >Following up from our IM chat, the GSS exts should be really be
> >based on
> >the existing gss_acquire/add_cred() functions, and in two variants:
> >for S4U2Self, with an additional impersonator_cred_handle input
> >argument, and one for S4U2Proxy, with that same additional argument
> >a subject_cred_handle instead of desired_name.
> >/* S4U2SELF */
> gss_acquire_cred_with_name, yes?
There's alread a desired_name in gss_a*_cred() :)
The S4U2Self idea is that we're using one principal's credential to get
a credential for another principal.
We could call that gss_a*_impersonation_cred() too, or any number of
variants. you and I both felt that "impersonate" was likely to be
confusing, but the alternatives seem confusing too :(
More information about the krbdev