Ticket 8901 removes one of the complications for extending the
accept_sec_context contract to apply to src_name. A second complication is
gss_inquire_context(), which is an alternate way to retrieve src_name from an
acceptor context. If gss_accept_sec_context() returned an unwrapped src_name
and gss_inquire_context() returned a wrapped src_name (it currently always
wraps), that would be an unfortunate inconsistency.
Heimdal has a more comprehensive approach to this issue: a mech can declare via
flags that it uses mechglue creds or mechglue names for all purposes. SPNEGO
does both; as a consequence, gss_set_neg_mechs() has to be implemented at the
mechglue layer rather than the SPNEGO layer. There are some interesting and
arguably beneficial side-effects: (1) a non-SPNEGO cred can be used as a SPNEGO
claimant or acceptor cred handle, and (2) SPNEGO does not have to implement
pass-through credential or name methods. However, the mechglue code to
implement these flags is not trivial, and there is a lot of potential for
memory errors if it is done incorrectly.