Although GSS-API allows applications to choose underlying security
mechanisms, applications should use the default mechanism that has been selected
by GSS-API if possible. Similarly, although GSS-API lets an application specify
a Quality of Protection level for protecting data, the default QOP should
be used if possible. Acceptance of the default mechanism is indicated by passing
GSS_C_NULL_OID to functions that expect a mechanism
or QOP as an argument.
Specifying a security mechanism or QOP explicitly defeats the purpose of using GSS-API. Such a specific selection limits the portability of an application. Other implementations of GSS-API might not support that QOP or mechanism in the intended manner. Nonetheless, Appendix C, Specifying an OID briefly discusses how to find out which mechanisms and QOPs are available, and how to choose one.