Nico Williams <[email protected]> writes: > RFC 7546 exists.
Yes, I am well aware that this exists. If you can read this and come away thinking that the API that it describes is simpler than the krb5 API, I really don't know what to say. Perhaps GSSAPI reflects the way that you think more closely, so it seems simpler to you. I use GSSAPI for new code because it is a *better* API (or, more precisely, a better *protocol*) that fixes various underlying issues and has better defaults. But it is not *simpler*; quite the opposite, it's more tedious and annoying and weird, harder to debug because of the imposition of the generic layer that has a tendency to get in the way of understanding what's going on, and requires you think about both Kerberos and GSS concepts at the same time when implementing a non-trivial application instead of focusing only on Kerberos. Just to take another example, GSSAPI introduces yet another identity format and now you have to be aware of both the Kerberos identity and the GSS identity, which are sort of the same but not always. > I've written a fair amount of app code using krb5 and GSS APIs, and I > strongly prefer GSS code. Well, I have written some of that code myself, and I don't agree. > It does pay a price, but if all you need is encrypted sessions, then > it's simple. I think we have very different definitions of simple. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
