On Sep 28, 2006, at 3:03 PM, Josh Berkus wrote:
> Tom,
>
>> It would depend in part on the size of the patch, and on whether
>> there
>> are any arguments for supporting GSSAPI besides "Java can't do
>> Kerberos".
>> What would it buy for a libpq user?
>
> According to the Solaris Security engineers, GSSAPI is more secure
> than
> using the Kerberos headers. Also, in theory GSSAPI is supposed to
> support multiple authentication back-ends (ldap, liberty, etc.), but I
> personally have never seen support for anything but Kerberos.
I think that GSSAPI is more tolerant of connections through NAT's. I
think it's more robust to current network reality, but I'm not aware
it's actually more secure if you're using comparable verification
options.
As noted elsewhere on this thread it's more available.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
