Sanity check: GSSAPI SPI simplifications

Luke Howard lukeh at
Mon May 24 19:15:22 EDT 2010

On 25/05/2010, at 12:49 AM, Jeffrey Hutzelman wrote:

> --On Friday, April 30, 2010 03:52:44 PM -0500 Nicolas Williams 
> <Nicolas.Williams at> wrote:
>>> 1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
>>> and gss_add_cred in terms of mech->gss_acquire_cred.  It never invokes
>>> mech->gss_add_cred.
>>> As a consequence, there is about 300 lines of orphaned code in the
>>> krb5 mech.  I propose to get rid of it, and to eliminate gss_add_cred
>>> from struct gss_config.  (Similarly for gss_add_cred_impersonate_name,
>>> which is already nulled out in the krb5 mech.)
>> I've noticed this before.  Please do eliminate this dead code.
> So, this would make the krb5 mech no longer be a GSS-API implementation.
> I suppose that's OK, if you assume that your mech is only ever going to be 
> used with your mechglue.  The problem is that as soon as more than one 
> implementor makes that assumption, you stop being able to use arbitrary 
> sets of mechanisms -- you can only use sets of mechanisms for which there 
> is a mechglue with which they are all compatible.

This is a good point.

-- Luke

More information about the krbdev mailing list