Sanity check: GSSAPI SPI simplifications
Luke Howard
lukeh at padl.com
Mon May 24 19:15:22 EDT 2010
On 25/05/2010, at 12:49 AM, Jeffrey Hutzelman wrote:
> --On Friday, April 30, 2010 03:52:44 PM -0500 Nicolas Williams
> <Nicolas.Williams at oracle.com> wrote:
>
>>> 1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
>>> and gss_add_cred in terms of mech->gss_acquire_cred. It never invokes
>>> mech->gss_add_cred.
>>>
>>> As a consequence, there is about 300 lines of orphaned code in the
>>> krb5 mech. I propose to get rid of it, and to eliminate gss_add_cred
>>> from struct gss_config. (Similarly for gss_add_cred_impersonate_name,
>>> which is already nulled out in the krb5 mech.)
>>
>> I've noticed this before. Please do eliminate this dead code.
>
> So, this would make the krb5 mech no longer be a GSS-API implementation.
> I suppose that's OK, if you assume that your mech is only ever going to be
> used with your mechglue. The problem is that as soon as more than one
> implementor makes that assumption, you stop being able to use arbitrary
> sets of mechanisms -- you can only use sets of mechanisms for which there
> is a mechglue with which they are all compatible.
This is a good point.
-- Luke
More information about the krbdev
mailing list