- /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME */
- propval = (uschar *) gsasl_property_get(sctx, GSASL_AUTHZID);
- auth_vars[0] = expand_nstring[1] = propval ? propval : US"";
+ /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME
+ The display-name is authenticated as part of GSS, the authzid is claimed
+ by the SASL integration after authentication; protected against tampering
+ (if the SASL mechanism supports that, which Kerberos does) but is
+ unverified, same as normal for other mechanisms.
+
+ First coding, we had these values swapped, but for consistency and prior
+ to the first release of Exim with this authenticator, they've been
+ switched to match the ordering of GSASL_VALIDATE_SIMPLE. */