RFC 2078 (rfc2078) - Page 3 of 85
Generic Security Service Application Program Interface, Version 2
Alternative Format: Original Text Document
RFC 2078 GSS-API January 1997
2.4.12: GSS_Release_OID call..................................... 68
2.4.13: GSS_OID_to_str call...................................... 68
2.4.14: GSS_Str_to_OID call...................................... 69
2.4.15: GSS_Inquire_names_for_mech call.......................... 69
2.4.16: GSS_Inquire_mechs_for_name call.......................... 70
2.4.17: GSS_Canonicalize_name call............................... 71
2.4.18: GSS_Export_name call..................................... 72
2.4.19: GSS_Duplicate_name call.................................. 73
3: Data Structure Definitions for GSS-V2 Usage................... 73
3.1: Mechanism-Independent Token Format.......................... 74
3.2: Mechanism-Independent Exported Name Object Format........... 77
4: Name Type Definitions......................................... 77
4.1: Host-Based Service Name Form................................ 77
4.2: User Name Form.............................................. 78
4.3: Machine UID Form............................................ 78
4.4: String UID Form............................................. 79
5: Mechanism-Specific Example Scenarios......................... 79
5.1: Kerberos V5, single-TGT..................................... 79
5.2: Kerberos V5, double-TGT..................................... 80
5.3: X.509 Authentication Framework............................. 81
6: Security Considerations...................................... 82
7: Related Activities........................................... 82
Appendix A: Mechanism Design Constraints......................... 83
Appendix B: Compatibility with GSS-V1............................ 83
1: GSS-API Characteristics and Concepts
GSS-API operates in the following paradigm. A typical GSS-API caller
is itself a communications protocol, calling on GSS-API in order to
protect its communications with authentication, integrity, and/or
confidentiality security services. A GSS-API caller accepts tokens
provided to it by its local GSS-API implementation and transfers the
tokens to a peer on a remote system; that peer passes the received
tokens to its local GSS-API implementation for processing. The
security services available through GSS-API in this fashion are
implementable (and have been implemented) over a range of underlying
mechanisms based on secret-key and public-key cryptographic
technologies.
The GSS-API separates the operations of initializing a security
context between peers, achieving peer entity authentication (This
security service definition, and other definitions used in this
document, corresponds to that provided in International Standard ISO
7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context() and
GSS_Accept_sec_context() calls), from the operations of providing
per-message data origin authentication and data integrity protection
(GSS_GetMIC() and GSS_VerifyMIC() calls) for messages subsequently
transferred in conjunction with that context. When establishing a
Linn Standards Track