Re: GSS-APIv3 sketch

Nicolas Williams <> Wed, 11 November 2009 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6AC693A68EE for <>; Wed, 11 Nov 2009 12:45:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.026
X-Spam-Status: No, score=-6.026 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oozhTxBwjxwt for <>; Wed, 11 Nov 2009 12:45:33 -0800 (PST)
Received: from (sca-ea-mail-4.Sun.COM []) by (Postfix) with ESMTP id AC5833A684A for <>; Wed, 11 Nov 2009 12:45:33 -0800 (PST)
Received: from ([]) by (8.13.6+Sun/8.12.9) with ESMTP id nABKk2uV012717 for <>; Wed, 11 Nov 2009 20:46:02 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM []) by (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nABKk10Z029901 for <>; Wed, 11 Nov 2009 13:46:01 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost []) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nABKYSUs013868 for <>; Wed, 11 Nov 2009 14:34:28 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nABKYS3o013867 for; Wed, 11 Nov 2009 14:34:28 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to using -f
Date: Wed, 11 Nov 2009 14:34:28 -0600
From: Nicolas Williams <>
Subject: Re: GSS-APIv3 sketch
Message-ID: <20091111203428.GF10501@Sun.COM>
References: <20091111181140.GC10501@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20091111181140.GC10501@Sun.COM>
User-Agent: Mutt/1.5.7i
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Nov 2009 20:45:34 -0000

On Wed, Nov 11, 2009 at 12:11:40PM -0600, Nicolas Williams wrote:
>        - the API is the SPI, _mostly_, but there's a function that each
> 	 provider must provide by which a mechglue above it can
> 	 configure the provider
> 	  - among other things, [...]

To be clear, the SPI is not exactly the API, and my description of the
differences between the two was not intended to be complete ("among
other things, ...").

Besides the differences I pointed out in the original and follow-ups,
it's reasonable to have some slight semantic differences, such as: a
provider not providing async support, with the mechglue invoking the
provider on a helper thread so as to layer async support above it
(Jeff's suggestion), or a provider not providing per-msg token
concurrency but the mechglue providing it on the provider's behalf.

There may be other differences, but the point stands: the SPI will be
_mostly_ the same as the API.  The rationale is as given in one of those
follow-ups: the more similar the two, the easier it is to generate
mechglue code, plus, there's no obvious reason to want the two
interfaces to diverge in more than minor ways.

But if someone has any reasons to want the two interfaces to diverge
radically, I'd love to hear them.