Re: Design Considerations for New Authentication Methods

On Nov 2, 2006, at 1:18 AM, Magnus Hagander wrote:

>>> * Henry B. Hotz (hotz@jpl.nasa.gov) wrote:
>>>> I've been looking at adding SASL or GSSAPI as an auth
>> method.  I have
>>>> some questions about how to handle the flow of control changes.
>>>
>>> Great!  I'd love to see that implemented, personally, so if you're
>>> looking for help, please let me know.
>>
>> Thank you.  I will!  ;-)
>>
>> Do you know Java?  I'm doing this ultimately because I want
>> the JDBC driver to support encrypted connections with
>> Kerberos and without needing SSL.  As an added plus a
>> Windows-native client should support it.
>
> Interesting, I thought you were going for the authentication only.
> What's the real gain in doing Kerberos encryption over SSL encryption?
> Doesn't Java come with SSL support anyway these days?
>
>
>> My main hesitation between SASL and GSSAPI is that the
>> Windows equivalent APIs for SASL have not received the same
>> degree of interoperability testing as SSPI<-->GSSAPI.  I
>> don't have a published example to crib from.  For general
>> information the relevant calls are at the bottom of
>> <http://msdn.microsoft.com/library/default.asp?url=/
>> library/en-us/secauthn/security/authentication_functions.asp>.
>
> One reason for this could be that they appear to be available only on
> server platforms, and not on cilents, if you look at the  
> documentation.
> That said, I have the DLL file and the export functions on my XP
> machine, so it's definitly present there - I'm unsure if it *works* or
> is supported. My registry does indicate that I have the GSSAPI profile
> for SASL, which would be an indication that it should.
>
>
> //Magnus