[15826] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Sanity check: GSSAPI SPI simplifications

daemon@ATHENA.MIT.EDU (Luke Howard)
Mon May 24 19:16:49 2010

Mime-Version: 1.0 (Apple Message framework v1078)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <CD1CF89724AA83857D6EBABF@minbar.fac.cs.cmu.edu>
Date: Tue, 25 May 2010 01:15:22 +0200
Message-Id: <074EAC3E-884A-46FA-B75A-6683308FF6D2@padl.com>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Cc: krbdev@mit.edu, Nicolas Williams <nicolas.williams@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu


On 25/05/2010, at 12:49 AM, Jeffrey Hutzelman wrote:

> --On Friday, April 30, 2010 03:52:44 PM -0500 Nicolas Williams 
> <Nicolas.Williams@oracle.com> wrote:
> 
>>> 1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
>>> and gss_add_cred in terms of mech->gss_acquire_cred.  It never invokes
>>> mech->gss_add_cred.
>>> 
>>> As a consequence, there is about 300 lines of orphaned code in the
>>> krb5 mech.  I propose to get rid of it, and to eliminate gss_add_cred
>>> from struct gss_config.  (Similarly for gss_add_cred_impersonate_name,
>>> which is already nulled out in the krb5 mech.)
>> 
>> I've noticed this before.  Please do eliminate this dead code.
> 
> So, this would make the krb5 mech no longer be a GSS-API implementation.
> I suppose that's OK, if you assume that your mech is only ever going to be 
> used with your mechglue.  The problem is that as soon as more than one 
> implementor makes that assumption, you stop being able to use arbitrary 
> sets of mechanisms -- you can only use sets of mechanisms for which there 
> is a mechglue with which they are all compatible.

This is a good point.

-- Luke
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post