Changes to cred store design

ghudson@MIT.EDU ghudson at MIT.EDU
Fri Jul 20 10:35:00 EDT 2012

I think we have the following points of agreement for the GSS cred
store design, based on a recent call:

* It's important to separate "where the creds are stored" from
  "answers to questions asked during initial authentication" in a
  proxy scenario.  Cred storage locations are references to external
  resources which may require privilege to access, and should
  therefore be configured on the proxy server rather than blindly
  trusted from the client.  Authentication responses make sense to
  proxy, though.

* However, there's no reason we can't use the same key-value data
  store for both purposes, as long as we give it an appropriate name.

* Keys for a map like this should not be constrained to URNs.  Sam
  suggested that we allow either URIs or implementation-defined simple
  strings.  We can then use "ccache" and "keytab" in the krb5 mech for
  brevity in config files, although it would be good if they had URI

So the specific changes needed are just naming changes:

* gss_cred_store_element{_struct,_t} -> gss_key_value_element{_struct,_t}
* gss_cred_store_element_struct.urn -> gss_key_value_element_struct.key
* gss_cred_store{_struct,_t} -> gss_key_value_set{_struct,_t}

More information about the krbdev mailing list