Services4User review

Nicolas Williams Nicolas.Williams at
Fri Sep 4 14:56:21 EDT 2009

On Fri, Sep 04, 2009 at 08:24:42PM +0200, Luke Howard wrote:
> On 04/09/2009, at 8:13 PM, Greg Hudson wrote:
> >I thought S4U2Self was done with gss_acquire/ 
> >add_cred_impersonate_name,
> >not _cred?  Did you mean S4U2Proxy there?
> Yes, he did.


> >I'm not really happy with adding an unstandardized GSS extension for
> >"completeness" or for the sake of unspecified mechanisms we don't
> >have.  Code which isn't tested doesn't work.  If a future need arises
> >for  this interface, it may turn out that the interface isn't quite
> >right, and what we provide will only get in the way.

MIT has already added non-standard GSS-API extensions.  So has Sun.  So
has Heimdal.  We're working towards having an IANA registry for GSS-API
extensions.  That should be good enough.

> >So, I'm happy with gss_acquire/add_cred_impersonate_name, which is
> >needed for S4U2Self with Kerberos, but not with
> >gss_acquire/add_cred_impersonate_cred.
> How do others feel about this?

I don't care that much.  But this is the sort of thing where actual
experience helps.  So I'd rather it ship, preferably with a warning that
it's subject to change/removal/...  (That's what we did with
gss_store_cred(), for example.)


More information about the krbdev mailing list