Developer's Guide to Oracle® Solaris 11 Security

Exit Print View

Updated: July 2014

Limitations of GSS-API

    Although GSS-API makes protecting data simple, GSS-API avoids some tasks that would not be consistent with GSS-API's generic nature. Accordingly, GSS-API does not perform the following activities:

  • Provide security credentials for users or applications. Credentials must be provided by the underlying security mechanisms. GSS-API does allow applications to acquire credentials, either automatically or explicitly.

  • Transfer data between applications. The application has the responsibility for handling the transfer of all data between peers, whether the data is security-related or plain data.

  • Distinguish between different types of transmitted data. For example, GSS-API does not know whether a data packet is plain data or encrypted.

  • Indicate status due to asynchronous errors.

  • Protect by default information that has been sent between processes of a multiprocess program.

  • Allocate string buffers to be passed to GSS-API functions. See Strings and Similar Data in GSS-API.

  • Deallocate GSS-API data spaces. This memory must be explicitly deallocated with functions such as gss_release_buffer() and gss_delete_name().