RFC 2078 (rfc2078) - Page 3 of 85

Generic Security Service Application Program Interface, Version 2

Alternative Format: Original Text Document
< Previous
Next >
RFC 2078                        GSS-API                     January 1997


   2.4.12: GSS_Release_OID call..................................... 68
   2.4.13: GSS_OID_to_str call...................................... 68
   2.4.14: GSS_Str_to_OID call...................................... 69
   2.4.15: GSS_Inquire_names_for_mech call.......................... 69
   2.4.16: GSS_Inquire_mechs_for_name call.......................... 70
   2.4.17: GSS_Canonicalize_name call............................... 71
   2.4.18: GSS_Export_name call..................................... 72
   2.4.19: GSS_Duplicate_name call.................................. 73
   3: Data Structure Definitions for GSS-V2 Usage................... 73
   3.1: Mechanism-Independent Token Format.......................... 74
   3.2: Mechanism-Independent Exported Name Object Format........... 77
   4: Name Type Definitions......................................... 77
   4.1: Host-Based Service Name Form................................ 77
   4.2: User Name Form.............................................. 78
   4.3: Machine UID Form............................................ 78
   4.4: String UID Form............................................. 79
   5:  Mechanism-Specific Example Scenarios......................... 79
   5.1: Kerberos V5, single-TGT..................................... 79
   5.2: Kerberos V5, double-TGT..................................... 80
   5.3:  X.509 Authentication Framework............................. 81
   6:  Security Considerations...................................... 82
   7:  Related Activities........................................... 82
   Appendix A: Mechanism Design Constraints......................... 83
   Appendix B: Compatibility with GSS-V1............................ 83

1: GSS-API Characteristics and Concepts

   GSS-API operates in the following paradigm.  A typical GSS-API caller
   is itself a communications protocol, calling on GSS-API in order to
   protect its communications with authentication, integrity, and/or
   confidentiality security services.  A GSS-API caller accepts tokens
   provided to it by its local GSS-API implementation and transfers the
   tokens to a peer on a remote system; that peer passes the received
   tokens to its local GSS-API implementation for processing. The
   security services available through GSS-API in this fashion are
   implementable (and have been implemented) over a range of underlying
   mechanisms based on secret-key and public-key cryptographic
   technologies.

   The GSS-API separates the operations of initializing a security
   context between peers, achieving peer entity authentication (This
   security service definition, and other definitions used in this
   document, corresponds to that provided in International Standard ISO
   7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context()  and
   GSS_Accept_sec_context() calls), from the operations of providing
   per-message data origin authentication and data integrity protection
   (GSS_GetMIC()  and GSS_VerifyMIC()  calls) for messages subsequently
   transferred in conjunction with that context.  When establishing a



Linn                        Standards Track
< Previous
Next >