GSS-API and libkrb5 behavior for Anonymous tickets

Jeffrey Hutzelman jhutz at
Wed Nov 4 14:19:05 EST 2009

--On Tuesday, November 03, 2009 11:41:55 AM -0600 Nicolas Williams 
<Nicolas.Williams at> wrote:

>    Just because the mechanism can do that doesn't mean it should.  I'd
>    rather treat the anon req_flag as critical in the mechanism
>    implementations, even though from the application's p.o.v. it's
>    optional.

Me too.

Normally, we tell application implementors to check the return state and 
not use a context that doesn't meet the application's needs; this allows 
applications lots of flexibility in asking for the moon and using what they 
can get.  However, anon_req is qualitatively different here, in that if you 
request an anonymous context, complete context establishment, and end up 
with a non-anonymous context, you've given away the farm even if you don't 
use the context.  Now, we provide applications a way to prevent this by 
indicating anon_state early enough that they can decline to send a token 
along that would reveal the client's identity.  But, I'm inclined to think 
it's better (safer) for mechanisms simply not to establish a context at all 
if anonymity is requested and cannot be provided.

-- Jeff

More information about the krbdev mailing list