Suggested ToDo

Morten Sylvest Olsen mso at medical-insight.com
Tue Jan 23 17:22:24 EST 2007


Henry B. Hotz wrote:
> Per my earlier thread it appears that there isn't any worthwhile SASL  
> support on the Windows platform.  However there is support for SSPI,  
> which can be made to behave like GSSAPI.  There are published, tested  
> examples of how to do this.
> 
> Wouldn't it be worthwhile for someone to write an alternate version  of 
> the GSSAPI mechanism plug-in that works on Windows without the  need to 
> install a Kerberos distribution?

Does the Windows SSPI actually support Kerberos? I know in cyrus-sasl 
and the Linux-world GSSAPI == Kerberos, but actually the G is supposed 
to mean Generic! I think Solaris has another mechanism besides Kerberos 
for GSSAPI. I've always thought the layering of GSSAPI below SASL weird, 
like tcp over http :)

> Seems to me that if someone cares about wide adoption of the SASL  
> standard then we need a robust implementation on Windows that's easy  to 
> build/install.

I think a larger problem is that the Windows world is entrenched on 
SPNEGO, especially since IE supports it. To be fair, it is also somewhat 
better because it, unlike SASL, is immune to downgrading attacks.

/Morten


More information about the Cyrus-sasl mailing list