Services4User review

Greg Hudson ghudson at MIT.EDU
Fri Sep 4 14:13:42 EDT 2009

On Fri, 2009-09-04 at 13:23 -0400, Nicolas Williams wrote:
> Without gss_acquire/add_cred_impersonate_cred() you can only do the
> S4U2SELF thing when you're the acceptor of a context, but with it you
> can also do the S4U2SELF thing when you just happen to have creds for
> two principals around.  I could see this being useful to someone, though
> I have no use for it at all.  

I thought S4U2Self was done with gss_acquire/add_cred_impersonate_name,
not _cred?  Did you mean S4U2Proxy there?

I'm not really happy with adding an unstandardized GSS extension for
"completeness" or for the sake of unspecified mechanisms we don't have.
Code which isn't tested doesn't work.  If a future need arises for this
interface, it may turn out that the interface isn't quite right, and
what we provide will only get in the way.

So, I'm happy with gss_acquire/add_cred_impersonate_name, which is
needed for S4U2Self with Kerberos, but not with

More information about the krbdev mailing list