[30751] in Kerberos
Re: WS-Security and GSS-API: How do I get the session key?
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Mon Feb 23 11:12:01 2009
From: Ken Raeburn <raeburn@MIT.EDU>
To: Speedo <speedogoo@gmail.com>
In-Reply-To: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
Message-Id: <2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Mon, 23 Feb 2009 11:11:17 -0500
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
On Feb 23, 2009, at 04:39, Speedo wrote:
> I guess this issue had been discussed before: WS-Security negotiates
> with Kerberos 5 but uses the session key in a different way from GSS
> tokens. Since GSS-API is the public API to access Kerberos 5, is there
> any recent progress in enhancing the GSS-API to provide a function
> like gss_get_session_key()?
I wouldn't say that "GSS-API is the public API to access Kerberos 5",
though I think it's generally preferred that you write application
*protocols* to GSS-API. (Which means, among other things, not
assuming you can extract the session key and do with it what you like
-- or even assuming that there is such a thing as a "session key".)
If you write non-GSSAPI application protocols, there are still non-
GSSAPI programming interfaces....
That said, I believe the MIT 1.7 release will include an API for
extracting a session key if there is one, but no earlier release from
MIT will, and I'm not sure how portable that API will be to other
implementations.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
