Sanity check: GSSAPI SPI simplifications

Jeffrey Hutzelman jhutz at
Tue May 25 10:08:06 EDT 2010

"Nicolas Williams" <Nicolas.Williams at> wrote:

>On Mon, May 24, 2010 at 06:13:35PM -0700, Love Hörnquist Åstrand wrote:
>> 24 maj 2010 kl. 15:49 skrev Jeffrey Hutzelman:
>> > ...
>> All good points, however duplicating code is multiple layers hides bugs and increases code size, either good either.
>Agreed.  I *like* the API as the SPI, but not to the point where
>mechanisms can be used directly without the mechglue.  And that not so
>much because of various problems that arise (think memory mgmt, though
>in v3 we could fix most of these if we really wanted to) but because
>there's no point: no one is going to that, because nobody really has
>when they've had the choice even of using just one mechanism through the

OK; that's a fair point.  But what about being able to combine mechs from multiple sources under one mechglue?  What happenns when someone releases a SCRAM implementation and their own mechglue?  If they make different assumptions, then neither mech works with the other provider's glue, and apps are stuck with the choice of supporting either krb5 or SCRAM (a decision the framework is supposed to save them from) but not both.

-- Jeff

More information about the krbdev mailing list