lukeh at padl.com
Fri Sep 4 14:24:42 EDT 2009
On 04/09/2009, at 8:13 PM, Greg Hudson wrote:
> On Fri, 2009-09-04 at 13:23 -0400, Nicolas Williams wrote:
>> Without gss_acquire/add_cred_impersonate_cred() you can only do the
>> S4U2SELF thing when you're the acceptor of a context, but with it you
>> can also do the S4U2SELF thing when you just happen to have creds for
>> two principals around. I could see this being useful to someone,
>> I have no use for it at all.
> I thought S4U2Self was done with gss_acquire/
> not _cred? Did you mean S4U2Proxy there?
Yes, he did.
> I'm not really happy with adding an unstandardized GSS extension for
> "completeness" or for the sake of unspecified mechanisms we don't
> Code which isn't tested doesn't work. If a future need arises for
> interface, it may turn out that the interface isn't quite right, and
> what we provide will only get in the way.
I didn't say it wasn't tested. :-)
> So, I'm happy with gss_acquire/add_cred_impersonate_name, which is
> needed for S4U2Self with Kerberos, but not with
How do others feel about this?
More information about the krbdev