Services4User review

Luke Howard lukeh at
Fri Sep 4 14:24:42 EDT 2009

On 04/09/2009, at 8:13 PM, Greg Hudson wrote:

> On Fri, 2009-09-04 at 13:23 -0400, Nicolas Williams wrote:
>> Without gss_acquire/add_cred_impersonate_cred() you can only do the
>> S4U2SELF thing when you're the acceptor of a context, but with it you
>> can also do the S4U2SELF thing when you just happen to have creds for
>> two principals around.  I could see this being useful to someone,  
>> though
>> I have no use for it at all.
> I thought S4U2Self was done with gss_acquire/ 
> add_cred_impersonate_name,
> not _cred?  Did you mean S4U2Proxy there?

Yes, he did.

> I'm not really happy with adding an unstandardized GSS extension for
> "completeness" or for the sake of unspecified mechanisms we don't  
> have.
> Code which isn't tested doesn't work.  If a future need arises for  
> this
> interface, it may turn out that the interface isn't quite right, and
> what we provide will only get in the way.

I didn't say it wasn't tested. :-)

> So, I'm happy with gss_acquire/add_cred_impersonate_name, which is
> needed for S4U2Self with Kerberos, but not with
> gss_acquire/add_cred_impersonate_cred.

How do others feel about this?

-- Luke

More information about the krbdev mailing list