Browse Prior Art Database

The Simple Public-Key GSS-API Mechanism (SPKM) (RFC2025)

IP.com Disclosure Number: IPCOM000002579D
Original Publication Date: 1996-Oct-01
Included in the Prior Art Database: 2019-Feb-16
Document File: 45 page(s) / 60K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

C. Adams: AUTHOR

Related Documents

10.17487/RFC2025: DOI

Abstract

This specification defines protocols, procedures, and conventions to be employed by peers implementing the Generic Security Service Application Program Interface (as specified in RFCs 1508 and 1509) when using the Simple Public-Key Mechanism. [STANDARDS-TRACK]

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 4% of the total text.

Network Working Group C. Adams Request for Comments: 2025 Bell-Northern Research Category: Standards Track October 1996

The Simple Public-Key GSS-API Mechanism (SPKM)

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Abstract

This specification defines protocols, procedures, and conventions to be employed by peers implementing the Generic Security Service Application Program Interface (as specified in RFCs 1508 and 1509) when using the Simple Public-Key Mechanism.

Background

Although the Kerberos Version 5 GSS-API mechanism [KRB5] is becoming well-established in many environments, it is important in some applications to have a GSS-API mechanism which is based on a public- key, rather than a symmetric-key, infrastructure. The mechanism described in this document has been proposed to meet this need and to provide the following features.

1) The SPKM allows both unilateral and mutual authentication to be accomplished without the use of secure timestamps. This enables environments which do not have access to secure time to nevertheless have access to secure authentication.

2) The SPKM uses Algorithm Identifiers to specify various algorithms to be used by the communicating peers. This allows maximum flexibility for a variety of environments, for future enhancements, and for alternative algorithms.

3) The SPKM allows the option of a true, asymmetric algorithm- based, digital signature in the gss_sign() and gss_seal() operations (now called gss_getMIC() and gss_wrap() in [GSSv2]), rather than an integrity checksum based on a MAC computed with a symmetric algorithm (e.g., DES). For some environments, the availability of true digital signatures supporting non-repudiation is a necessity.

Adams Standards Track [Page 1]

RFC 2025 SPKM October 1996

4) SPKM data formats and procedures are designed to be as similar to those of the Kerberos mechanism as is practical. This is done for ease of implementation in those environments where Kerberos has already been implemented.

For the above reasons, it is felt that the SPKM will offer flexibility and functionality, without undue complexity or overhead.

Key Management

The key management employed in SPKM is intended to be as compatible as possible with both X.509 [X.509] and PEM [RFC-1422], since these represent large communities of interest and show relative maturity in standards.

Acknowledgments

Much of the material in this document is based on the Kerberos Version 5 GSS-API mechanism [KRB5], and is intended to be as compatible with it as possible. This document also owes a great debt to Warwick Ford and Paul Van Oorschot of Bell-Northern Research for many fruitful discussions, to Kelvin Desplanque for implementati...

Processing...
Loading...