Nicolas.Williams at sun.com
Fri Sep 4 14:56:21 EDT 2009
On Fri, Sep 04, 2009 at 08:24:42PM +0200, Luke Howard wrote:
> On 04/09/2009, at 8:13 PM, Greg Hudson wrote:
> >I thought S4U2Self was done with gss_acquire/
> >not _cred? Did you mean S4U2Proxy there?
> Yes, he did.
> >I'm not really happy with adding an unstandardized GSS extension for
> >"completeness" or for the sake of unspecified mechanisms we don't
> >have. Code which isn't tested doesn't work. If a future need arises
> >for this interface, it may turn out that the interface isn't quite
> >right, and what we provide will only get in the way.
MIT has already added non-standard GSS-API extensions. So has Sun. So
has Heimdal. We're working towards having an IANA registry for GSS-API
extensions. That should be good enough.
> >So, I'm happy with gss_acquire/add_cred_impersonate_name, which is
> >needed for S4U2Self with Kerberos, but not with
> How do others feel about this?
I don't care that much. But this is the sort of thing where actual
experience helps. So I'd rather it ship, preferably with a warning that
it's subject to change/removal/... (That's what we did with
gss_store_cred(), for example.)
More information about the krbdev