On Feb 23, 2009, at 04:39, Speedo wrote: > I guess this issue had been discussed before: WS-Security negotiates > with Kerberos 5 but uses the session key in a different way from GSS > tokens. Since GSS-API is the public API to access Kerberos 5, is there > any recent progress in enhancing the GSS-API to provide a function > like gss_get_session_key()?
I wouldn't say that "GSS-API is the public API to access Kerberos 5", though I think it's generally preferred that you write application *protocols* to GSS-API. (Which means, among other things, not assuming you can extract the session key and do with it what you like -- or even assuming that there is such a thing as a "session key".) If you write non-GSSAPI application protocols, there are still non- GSSAPI programming interfaces.... That said, I believe the MIT 1.7 release will include an API for extracting a session key if there is one, but no earlier release from MIT will, and I'm not sure how portable that API will be to other implementations. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
