Suppressing conf/integ flags in krb5 GSS tokens

Nico Williams nico at
Mon Jun 1 00:37:23 EDT 2015

Greg objects to SPNEGO not requesting GSS_C_INTEG_FLAG, and I tend to
agree (since it's possible to design a mechanism that uses -say- bearer
tokens for authentication but does no key exchange unless requested).

To make that work we'd have to change GSS_KRB5_CRED_NO_CI_FLAGS_X to
unset the CI flags rather than not set them by default.


More information about the krbdev mailing list