Talk:Generic Security Services Application Programming Interface

This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (Learn how and when to remove this message)

This article appears to have been taken in its entirety from the Kerberos FAQ. That FAQ has the following copyright notice: (c) 2000 United States Government as represented by the Secretary of the Navy. All rights reserved., which I take to mean that it's not in the public domain like some U.S. Government works.

We could still do with a good article on GSSAPI (I'm particularly interested in its de-facto relationship to Kerberos).

-- JTN 12:18, 2005 Feb 10 (UTC)

I have added a new version of the GSSAPI Text, this time copyrighted by myself ;-) Sorry for inconveniences because of that.

From what I have seen, the reasons why gssapi is used when kerberos is available are

• the Kerberos API is absolutely attrocious for common use, unless you're very keen on the low level stuff. gss is simpler
• most krb5 implementations come with gssapi anyway, and the concepts map well between the two
• the krb5 C API moves too much. The schism between mit and heimdal krb5 apis is an enormous driver of people towards gssapi.
• microsoft has built-in api called SSPI which is basically GSSAPI in disguise (wire compatible, but uses different named functions) and it uses their krb5 implementation ("active directory") as well as snego.

-- DLeonard