Re: Plans for 8.4

What's the time frame for 8.4?

I'm making no promises, but what would people think of a hostgss hba  
option?

Using it would imply the gssapi/sspi authentication option.  It would  
be mutually exclusive of the ssl link-encryption option.  It would  
support strong encryption of the whole connection without the need to  
get X509 certs deployed (which would be a big win if you're using  
gssapi/sspi authentication anyway).

The thing that prevented me from including it in the gssapi patches I  
did for 8.3 was that I couldn't disentangle the program logic to the  
point of inserting the gssapi security layer code above the SSL code  
and below everything else.  I'm thinking that doing both is pretty  
much an edge case, so I propose to do gssapi security layers instead  
of SSL.  The mods are a lot more obvious.

I'm *NOT* proposing to make build support of gssapi security layers  
exclusive of SSL.  You might, for example, configure a server to  
support username/password over SSL for intra-net addresses, but  
support gssapi for Internet addresses.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu