[49] in GSSAPI Development
Re: clarification on GSS C Bindings
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri May 17 23:56:49 1991
Date: Fri, 17 May 91 23:55:17 -0400
From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)
To: kannan@sejour.lkg.dec.com
Cc: wray@ultra.enet.dec.com, gssapi-dev@ATHENA.MIT.EDU,
In-Reply-To: kannan@sejour.lkg.dec.com's message of Fri, 17 May 91 12:06:59 EDT,
Reply-To: tytso@ATHENA.MIT.EDU
Date: Fri, 17 May 91 12:06:59 EDT
From: kannan@sejour.lkg.dec.com
This is OK, since we can specify GSS_C_NO_CREDENTIAL to init_sec_context
and it will do the right thing (acquire default user credentials internally.)
Also, on the verifier side, we have a delegated cred handle which can be
passed to init_sec_context.
However, on the claimant side, if we need to issue multiple init_sec_context
calls (i.e., mutual authentication), should we always pass in the default
credential handle for each call? If so, this would be very inefficient for
SPX.
It would be nice if when we specified the use of default credentials, a
modified cred handle is returned to the application for subsequent GSS API
routines. However, this doesn't seem possible.
Oh, sure it is! It just requires creative implementation of
GSS_C_NO_CREDENTIAL. For example, in my implementation:
#define GSS_C_NO_CREDENTIAL (gss_default_credentials)
[gss_default_credentials is a global variable declared in init_sec.c]
As far as I can tell, there's nothing in the specification to disallow
something like this. John, do you consider this a valid interpretation
of the GSS API C binding spec?
- Ted
