Services4User review

[Greg Hudson]

Two questions about the API design:

* Whereas the krb5 gss_acquire_cred only fetches existing credentials
from a cache, the krb5 gss_acquire_cred_impersonate_cred actually goes
out and fetches credentials from the KDC, right?

* Under what circumstances would an application need to use the
gss_acquire_cred_impersonate_cred interface, instead of just calling
gss_init_sec_context with the appropriate proxy credential?  Is there an
actual reason to provide that API?  (And similarly for the corresponding
add_ API, of course.)