Browse Prior Art Database

The Simple and Protected GSS-API Negotiation Mechanism (RFC2478)

IP.com Disclosure Number: IPCOM000003058D
Original Publication Date: 1998-Dec-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 14 page(s) / 33K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

E. Baize: AUTHOR [+2]

Abstract

This document specifies a Security Negotiation Mechanism for the Generic Security Service Application Program Interface (GSS-API) which is described in [1].

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 9% of the total text.

Network Working Group E. Baize

Request for Comments: 2478 D. Pinkas

Category: Standards Track Bull

December 1998

The Simple and Protected GSS-API Negotiation Mechanism

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1998). All Rights Reserved.

1. ABSTRACT

This document specifies a Security Negotiation Mechanism for the

Generic Security Service Application Program Interface (GSS-API)

which is described in [1].

The GSS-API provides a generic interface which can be layered atop

different security mechanisms such that if communicating peers

acquire GSS-API credentials for the same security mechanism, then a

security context may be established between them (subject to policy).

However, GSS-API doesn't prescribe the method by which GSS-API peers

can establish whether they have a common security mechanism.

The Simple and Protected GSS-API Negotiation Mechanism defined here

is a pseudo-security mechanism, represented by the object identifier

iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2) which

enables GSS-API peers to determine in-band whether their credentials

share common GSS-API security mechanism(s), and if so, to invoke

normal security context establishment for a selected common security

mechanism. This is most useful for applications that are based on

GSS-API implementations which support multiple security mechanisms.

This allows to negotiate different security mechanisms, different

options within a given security mechanism or different options from

several security mechanisms.

Once the common security mechanism is identified, the security

mechanism may also negotiate mechanism-specific options during its

context establishment. This will be inside the mechanism tokens, and

invisible to the SPNEGO protocol.

The simple and protected GSS-API mechanism negotiation is based on

the following negotiation model : the initiator proposes one security

mechanism or an ordered list of security mechanisms, the target

either accepts the proposed security mechanism, or chooses one from

an offered set, or rejects the proposed value(s). The target then

informs the initiator of its choice.

In its basic form this protocol requires an extra-round trip. Network

connection setup is a critical performance characteristic of any

network infrastructure and extra round trips over WAN links, packet

radio networks, etc. really make a difference. In order to...