Sanity check: GSSAPI SPI simplifications
Nicolas Williams
Nicolas.Williams at oracle.com
Tue May 25 11:29:50 EDT 2010
On Tue, May 25, 2010 at 10:08:06AM -0400, Jeffrey Hutzelman wrote:
> "Nicolas Williams" <Nicolas.Williams at oracle.com> wrote:
> >Agreed. I *like* the API as the SPI, but not to the point where
> >mechanisms can be used directly without the mechglue. [...]
>
> OK; that's a fair point. But what about being able to combine mechs
> from multiple sources under one mechglue? What happenns when someone
> releases a SCRAM implementation and their own mechglue? If they make
> different assumptions, then neither mech works with the other
> provider's glue, and apps are stuck with the choice of supporting
> either krb5 or SCRAM (a decision the framework is supposed to save
> them from) but not both.
They shouldn't. Instead they should release mechanisms for existing
mechglues.
Just as no one bothers to use GSS mechs w/o mechglues, I doubt
developers will want to re-write mechglues every time they write mechs.
(Aside: I suspect that most mechglues will have sufficiently similar
SPIs that targeting multiple mechglues will generally be feasible.)
More information about the krbdev
mailing list