cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] docs: Update SPNEGO and GSS-API related doc sections

From: Michael Osipov <1983-01-06_at_gmx.net>
Date: Sun, 03 Aug 2014 20:53:55 +0200

Am 2014-08-03 um 11:27 schrieb Dan Fandrich:
> On Sun, Aug 03, 2014 at 10:50:21AM +0200, Michael Osipov wrote:
>> Am 2014-08-03 um 10:27 schrieb Dan Fandrich:
>>> On Sat, Aug 02, 2014 at 02:18:29PM +0000, Michael Osipov wrote:
>>>> @@ -180,7 +180,8 @@ FOOTNOTES
>>>> *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native
>>>> Windows), Secure Transport (native iOS/OS X) or qssl (native IBM i)
>>>> *2 = requires OpenLDAP
>>>> - *3 = requires a GSSAPI-compliant library, such as Heimdal or similar
>>>> + *3 = requires a GSS-API implementation, such as Heimdal, MIT Kerberos or
>>>> + SSPI (native Windows)
>>>> *4 = requires nghttp2 and possibly a recent TLS library
>>>> *5 = requires a krb4 library, such as the MIT one or similar
>>>> *6 = requires c-ares
>>>
>>> Minor nit on this oneā€”this implies that SSPI provides a GSS-API implementation.
>>> This might be slightly clearer:
>>>
>>> + *3 = requires a GSS-API implementation such as Heimdal or MIT Kerberos, or
>>> + SSPI (native Windows)
>>
>> Infact, SSPI is a proprietary GSS-API implemenation but I do
>> understand what you are referring to. I have trouble phrasing this in
>> a unambigious way.
>>
>> Is this better: requires a GSS-API implementation (Unix-like OS) such
>> as Heimdal or MIT Kerberos, or SSPI (native Windows)
>>
>> In general, those who know that SPNEGO is, will know the difference
>> between GSS-API and SSPI, IMHO.
>>
>> How would you rephrase that?
>
> I'm no expert on these differences, but I note that the Kerberos code for
> FTP, IMAP, POP3, SMTP is disabled if SSPI is in use.

Except FTP none of those SASL-aware protocols use any GSS mechanism in curl.

> If SSPI truly provided
> a GSS-API implementation, then I would expect this GSS-API code to be enabled.
> As *3 seems to conflate GSS-API and SPNEGO requirements, perhaps it should be
> split into two line items in the spirit of clarified documentation.

What about:

   *3 = requires a GSS-API implementation (Heimdal, MIT Kerberos) or
        SSPI (native Windows)
?

Michael

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-03