[39194] in Kerberos
Re: appl/simple/client/sim_client.c uses internal APIs
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Feb 24 18:27:17 2023
From: Russ Allbery <eagle@eyrie.org>
To: Nico Williams <nico@cryptonector.com>
CC: Ken Hornstein <kenh@cmf.nrl.navy.mil>, <kerberos@mit.edu>
In-Reply-To: <Y/kjG1LGtq1XRLKO@gmail.com> (Nico Williams's message of "Fri, 24
Feb 2023 14:50:35 -0600")
Date: Fri, 24 Feb 2023 15:23:01 -0800
Message-ID: <877cw6fy22.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Nico Williams <nico@cryptonector.com> writes:
> RFC 7546 exists.
Yes, I am well aware that this exists. If you can read this and come away
thinking that the API that it describes is simpler than the krb5 API, I
really don't know what to say. Perhaps GSSAPI reflects the way that you
think more closely, so it seems simpler to you.
I use GSSAPI for new code because it is a *better* API (or, more
precisely, a better *protocol*) that fixes various underlying issues and
has better defaults. But it is not *simpler*; quite the opposite, it's
more tedious and annoying and weird, harder to debug because of the
imposition of the generic layer that has a tendency to get in the way of
understanding what's going on, and requires you think about both Kerberos
and GSS concepts at the same time when implementing a non-trivial
application instead of focusing only on Kerberos.
Just to take another example, GSSAPI introduces yet another identity
format and now you have to be aware of both the Kerberos identity and the
GSS identity, which are sort of the same but not always.
> I've written a fair amount of app code using krb5 and GSS APIs, and I
> strongly prefer GSS code.
Well, I have written some of that code myself, and I don't agree.
> It does pay a price, but if all you need is encrypted sessions, then
> it's simple.
I think we have very different definitions of simple.
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
