Project review: GSS credential store extensions

Greg Hudson ghudson at MIT.EDU
Thu Jul 12 15:23:54 EDT 2012

On 07/12/2012 01:53 PM, Sam Hartman wrote:
> If it helps people with API names and stuff, I'm going to argue Moonshot
> should use this for initial credential aquizition.
> In particular I think we'll want to support:

Will the application typically know what sorts of stuff it needs to
provide before it starts to acquire creds and initiate a security context?

In the krb5 world, you have to make an AS request and get a
preauth-required error before you know what questions to ask the user.
As such, neither gss_acquire_cred_with_password nor
gss_acquire_cred_from connect up very well.  Because of this, it seems
like a questionable idea to me (and to Simo) to conflate "where the
creds are" with "what secrets and/or parameters I need to know in order
to create initial creds".

However, I know that Nico (and now you) want to combine the two into one
container, and that Nico wants three to be more commonality between cred
stores (which are currently text contracts keyed by URNs or maybe URIs)
and response items (which are currently binary contacts keyed by
uncoordinated C strings).  I'd be more amenable to this idea if I
understood better how it could possibly work.

More information about the krbdev mailing list